Skip to main content

Security

Security allows Inigo's users to enforce security controls before they reach your GraphQL server. Inigo's security enforcement allows you to mitigate Denial of Service attacks, as well as the abuse of your API which could overwhelm your application's resources.


Sample Config

security.yaml
kind: Security
name: demo
label: starwars
spec:
profiles:
- name: guest
require_operation_name: true
max_depth: 3
max_height: 9
max_directives: 5

max_request_size_bytes: 512000
max_response_size_bytes: 2048000

- name: user
max_depth: 20
max_height: 20
max_request_size_bytes: 512000
max_response_size_bytes: 2048000

- name: admin
max_request_size_bytes: 512000
max_response_size_bytes: 2048000

Spec

This section defines the format of Inigo's Security type configuration files. Fields marked as required must be specified if the parent is defined.

FieldTypeDescription
validationValidationConfig
allow_http_get_operationsboolean default:trueClients are allowed to query GraphQL using HTTP GET (in addition to HTTP POST).
profile_default_valuesSecurityProfileDefaultValues
profiles[SecurityProfile]

ValidationConfig

FieldTypeDescription
schema_directive_path_min_lengthstringPath to directive argument, which is used to specify min length string constraint. Supported locations: ARGUMENT_DEFINITION, INPUT_FIELD_DEFINITION. Example: @constraint.min
schema_directive_path_max_lengthstringPath to directive argument, which is used to specify max length string constraint. Supported locations: ARGUMENT_DEFINITION, INPUT_FIELD_DEFINITION. Example: @constraint.max
schema_directive_path_patternstringPath to directive argument, which is used to specify regex for string to be compliant with. Supported locations: ARGUMENT_DEFINITION, INPUT_FIELD_DEFINITION. Example: @constraint.pattern
alias_namestringRegular expression to validate query alias names.
directive_namestringRegular expression to validate query directive names.
operation_namestringRegular expression to validate the operation name.
input_field[ValidateInputField]Validation rules for input fields
argument[ValidateArgument]Validation rules for arguments

ArgumentsValidationConfig

FieldTypeDescription
StringstringRegular expression to validate GraphQL query arguments of String type.

ValidateInputField

FieldTypeDescription
typestring
fieldstring
min_lengthint
max_lengthint
patternstring

ValidateArgument

FieldTypeDescription
typestring
fieldstring
argstring
min_lengthint
max_lengthint
patternstring

SecurityProfileDefaultValues

FieldTypeDescription
max_depthintMaximum length limit for queries.
max_heightintMaximum query height limit for queries.
max_directivesintMaximum number of query directives allowed in a query (both existent and non-existent query directives).
max_request_size_bytesintMaximum client request size allowed in bytes.
max_response_size_bytesintMaximum server response size allowed in bytes.
max_root_queriesintNumber of allowed root queries in a single query.
max_root_mutationsintNumber of allowed root mutations in a single query.
require_operation_namebooleanRequires queries to have an operation name set.
require_fieldsobjectMandates the use of specific fields when some type is used in a query.

require_fields:
User: [ name, email ]

require_id_fieldsbooleanRequires query selection sets to have an id field where it exists.
max_aliasesintMaximum allowed aliased fields in a query.

SecurityProfile

FieldTypeDescription
Namestring requiredName of the profile.
max_depthintMaximum length limit for queries.
max_heightintMaximum query height limit for queries.
max_directivesintMaximum number of query directives allowed in a query (both existent and non-existent query directives).
max_request_size_bytesintMaximum client request size allowed in bytes.
max_response_size_bytesintMaximum server response size allowed in bytes.
max_root_queriesintNumber of allowed root queries in a single query.
max_root_mutationsintNumber of allowed root mutations in a single query.
require_operation_namebooleanRequires queries to have an operation name set.
require_fieldsobjectMandates the use of specific fields when some type is used in a query.

require_fields:
User: [ name, email ]

require_id_fieldsbooleanRequires query selection sets to have an id field where it exists.
max_aliasesintMaximum allowed aliased fields in a query.