Skip to main content

Part 3: Controlling Query Depth and Height

In this tutorial, we will build on the configuration from part 1 and add some basic query protection to our server.

Prerequisites

  • Account : create one at app.inigo.io.
  • CLI : install the Inigo cli.
  • We'll use a hosted Starwars Demo service so there is no need to deploy any GraphQL server.

Introduction

GraphQL provides great flexibility to clients by allowing them to request only the data they need. However, this flexibility can be a double-edged sword for servers. Clients can send malicious or unintentional queries that are too large or too complex, which can harm server performance. Therefore, it's important to have measures in place to protect servers from such queries. One of the simplest and most effective ways to do this is to limit the size of incoming queries. The depth and height of a query are two key factors that contribute to its size. Query depth refers to the number of nested levels in a query, while query height refers to the total number of fields requested in a query.

Configuration

We'll enhance our configuration from part 1 and add depth and height protection to our server. Update your existing security.yml file to look like this:

security.yaml
kind: Security
name: demo
label: starwars
spec:
profiles:
- name: guest
require_operation_name: true
max_depth: 3
max_height: 10

Apply

inigo apply security.yml

Test

The following query with depth 3 should run as expected:

query.graphql
query FilmsAndCharacters {
films {
title
characters {
name
}
}
}

Adding one more selection set to the query will make the query have a depth of 4, and it should be blocked.

query.graphql
query FilmsAndCharactersAppearedIn {
films {
title
characters {
name
appearedIn {
title
}
}
}
}

Feel free to explore more security configurations such as controlling max directives, aliases, request and response size and mode. Reference for all these knobs can be found in the SecurityProfile section of the security configuration page.

Next up

In part 3 we'll go over other basic rate limit configurations.