Security
Security allows Inigo's users to enforce security controls before they reach your GraphQL server. Inigo's security enforcement allows you to mitigate Denial of Service attacks, as well as the abuse of your API which could overwhelm your application's resources.
Sample Config
security.yaml
kind: Security
name: demo
label: starwars
spec:
profiles:
- name: guest
require_operation_name: true
max_depth: 3
max_height: 9
max_directives: 5
max_request_size_bytes: 512000
max_response_size_bytes: 2048000
- name: user
max_depth: 20
max_height: 20
max_request_size_bytes: 512000
max_response_size_bytes: 2048000
- name: admin
max_request_size_bytes: 512000
max_response_size_bytes: 2048000
Spec
This section defines the format of Inigo's Security
type configuration files. Fields marked as required
must be specified if the parent is defined.
Field | Type | Description |
---|---|---|
validation | ValidationConfig | |
allow_http_get_operations | boolean default:true | Clients are allowed to query GraphQL using HTTP GET (in addition to HTTP POST). |
profile_default_values | SecurityProfileDefaultValues | |
profiles | [SecurityProfile] |
ValidationConfig
Field | Type | Description |
---|---|---|
schema_directive_path_min_length | string | Path to directive argument, which is used to specify min length string constraint. Supported locations: ARGUMENT_DEFINITION, INPUT_FIELD_DEFINITION. Example: @constraint.min |
schema_directive_path_max_length | string | Path to directive argument, which is used to specify max length string constraint. Supported locations: ARGUMENT_DEFINITION, INPUT_FIELD_DEFINITION. Example: @constraint.max |
schema_directive_path_pattern | string | Path to directive argument, which is used to specify regex for string to be compliant with. Supported locations: ARGUMENT_DEFINITION, INPUT_FIELD_DEFINITION. Example: @constraint.pattern |
alias_name | string | Regular expression to validate query alias names. |
directive_name | string | Regular expression to validate query directive names. |
operation_name | string | Regular expression to validate the operation name. |
input_field | [ValidateInputField] | Validation rules for input fields |
argument | [ValidateArgument] | Validation rules for arguments |
ArgumentsValidationConfig
Field | Type | Description |
---|---|---|
String | string | Regular expression to validate GraphQL query arguments of String type. |
ValidateInputField
Field | Type | Description |
---|---|---|
type | string | |
field | string | |
min_length | int | |
max_length | int | |
pattern | string |
ValidateArgument
Field | Type | Description |
---|---|---|
type | string | |
field | string | |
arg | string | |
min_length | int | |
max_length | int | |
pattern | string |
SecurityProfileDefaultValues
Field | Type | Description |
---|---|---|
max_depth | int | Maximum length limit for queries. |
max_height | int | Maximum query height limit for queries. |
max_directives | int | Maximum number of query directives allowed in a query (both existent and non-existent query directives). |
max_request_size_bytes | int | Maximum client request size allowed in bytes. |
max_response_size_bytes | int | Maximum server response size allowed in bytes. |
max_root_queries | int | Number of allowed root queries in a single query. |
max_root_mutations | int | Number of allowed root mutations in a single query. |
require_operation_name | boolean | Requires queries to have an operation name set. |
require_fields | object | Mandates the use of specific fields when some type is used in a query. require_fields: User: [ name, email ] |
require_id_fields | boolean | Requires query selection sets to have an id field where it exists. |
max_aliases | int | Maximum allowed aliased fields in a query. |
SecurityProfile
Field | Type | Description |
---|---|---|
Name | string required | Name of the profile. |
max_depth | int | Maximum length limit for queries. |
max_height | int | Maximum query height limit for queries. |
max_directives | int | Maximum number of query directives allowed in a query (both existent and non-existent query directives). |
max_request_size_bytes | int | Maximum client request size allowed in bytes. |
max_response_size_bytes | int | Maximum server response size allowed in bytes. |
max_root_queries | int | Number of allowed root queries in a single query. |
max_root_mutations | int | Number of allowed root mutations in a single query. |
require_operation_name | boolean | Requires queries to have an operation name set. |
require_fields | object | Mandates the use of specific fields when some type is used in a query. require_fields: User: [ name, email ] |
require_id_fields | boolean | Requires query selection sets to have an id field where it exists. |
max_aliases | int | Maximum allowed aliased fields in a query. |