Skip to main content Link Search Menu Expand Document (external link)

Table of Contents

Security

Security allows Inigo’s users to enforce security controls before they reach your GraphQL server. Inigo’s security enforcement allows you to mitigate Denial of Service attacks, as well as the abuse of your API which could overwhelm your application’s resources.


This section defines the format of Inigo’s Security type configuration files. Fields marked as required must be specified if the parent is defined.

Validation

Field Type Required Description
validation.alias_name string No Regular expression to validate query alias names.
validation.directive_name string No Regular expression to validate query directive names.
validation.operation_name string No Regular expression to validate the operation name.
validation.arguments object No Regular expression to validate GraphQL query arguments of String type. For example: String:^[a-zA-Z]+$.

Profiles

Field Type Required Description
profiles[_].name string Yes The name of the profile.
profiles[_].max_depth int No (default: unlimited) Maximum length limit for queries.
profiles[_].max_height int No (default: unlimited) Maximum query height limit for queries.
profiles[_].max_directives int No (default: unlimited) Maximum number of query directives allowed in a query (both existent and non-existent query directives).
profiles[_].max_aliases int No (default: unlimited) Maximum allowed aliased fields in a query.
profiles[_].max_request_size_bytes int No (default: 512000 bytes) Maximum client request size allowed in bytes.
profiles[_].max_response_size_bytes int No (default: 2048000 bytes) Maximum server response size allowed in bytes.
profiles[_].max_root_queries int No (default: unlimited) Number of allowed root queries in a single query.
profiles[_].max_root_mutations int No (default: unlimited) Number of allowed root mutations in a single query.
profiles[_].allow_http_get_operations boolean No (default: true) Clients are allowed to query GraphQL using HTTP GET (in addition to HTTP POST)
profiles[_].require_operation_name boolean No (default: true) Requires queries to have an operation name set.
profiles[_].require_fields array[object] No (default: null) Mandates the use of specific fields when some type is used in a query. For example, User: [name,email].
profiles[_].require_id_fields boolean No (default: false) Requires query selection sets to have an id field where it exists.

The Security configuration below is an example config that does regex-based validation, as well as applies security features on the guest profile

kind: Security
name: demo
label: starwars
spec:
  validation:
    alias_name: ^[a-zA-Z]+$
    directive_name: ^[a-zA-Z]+$
    operation_name: ^[a-zA-Z]+$
    arguments:
      string: ^[a-zA-Z]+$

  profile_default_values:
    max_depth: 3

  profiles:
    - name: guest
      max_depth: 3
      max_height: 9
      max_directives: 5
      max_request_size_bytes: 512000
      max_response_size_bytes: 2048000
      max_root_queries: null
      max_root_mutations: null
      require_operation_name: true
      allow_http_get_operations: false

    - name: admin
      max_depth: 5
      max_height: 100
      max_directives: null
      max_request_size_bytes: 512000
      max_response_size_bytes: 2048000
      max_root_queries: null
      max_root_mutations: null
      require_operation_name: false
      require_id_fields: false
      require_fields:
        User: [name, email]

Profile Default Values

All toggles from the Profiles section can be applied using a default profile by specifying the profile_default_values property, as shown below.

Field Type Required Description
profile_default_values object No Default security profile configuration settings.