GraphQL Security
Download as PPTX, PDF0 likes302 views
The document discusses GraphQL as a query language that allows users to specify the exact data they need from a single endpoint, contrasting it with REST. It outlines various security considerations such as transport protection, rate limiting, data leakage, authentication methods, and authorization strategies. Additionally, it highlights the need for careful management of query complexity and compliance with regulations like GDPR and PCI compliance.
GraphQL Security
- 1. GraphQL with Security ideas and thinkings @shiufunpoon
- 2. What is GraphQL Query language User drives the query Like a database query to the database, this is query to the rest endpoint E.g. Given me the book title of all the books from the libraries in San Francisco with zip code 94403 Allow user to specify the data the is needed (nothing more, nor less) One single endpoint for the request Data is in a graph structure (if you can build the relationship to the data, you can get the data) REST is well-structured with schema (like swagger) and , GraphQL not so Will it replace REST ? ¯_(ツ)_/¯
- 3. The Basic Transport protection Over TLS, are you using TLS 1.3 ? No ? How about TLS 1.2 with secure ciphers ? Mutual TLS is best, but with HUGE overhead Rate Limit With one endpoint, all queries is using the same endpoint, what is your strategy to protect this endpoint ? Rate limit by client_ip ? Throttling ? Time limit How long does the query take ? Make sure timeout is set appropriately – so no single query will take up all the resources Data Leakage Use of `AllowList` or `BlockList` to fine tuned what can be returned, even with user asking for the data
- 4. GraphQL consideration Query complexity Complexity Difficult to calculate the complexity Need SME to provide weight on query Protect against cycling reference Depth of the query Payload size Limit How large is the response payload Validation of request Label (known label) Query search string size limit
- 5. Authentication Authentication Client credential with mutual TLS this is on protocol level HTTP based Authentication, e.g. HTTP Basic, HTML FormBased Token based authentication JWT OIDC (OAuth) Cookie Spengo/Kerberos SAML HTTP Post Binding
- 6. Authorization Authorization OAuth OAuth uses scope map the scope concept to the open-ended query/action Use as the initial permission decision (coarse grained decision) If token is JWT format, utilize JWT claim to provide a context for authorization decision Delegate to the business layer on the finer grained access Be on watch out for GDPR (exposing information required by caller, but not authorize by user) PCI compliance data Confidential data Chaining authorization layer for layering permission approach