Supercharge your team with Apollo graph experts

Common GraphQL Security Challenges

Today, Apollo is introducing a new approach for preventing unbounded access to GraphQL APIs: GraphOS persisted query safelisting. With persisted query safelisting, API teams can prevent service degradation from complex queries by centrally safelisting known operations in Apollo Router — Apollo’s blazing-fast GraphQL gateway and query planner.

API teams can prevent service degradation from complex queries by centrally safelisting known operations in Apollo Router — Apollo’s blazing-fast GraphQL gateway and query planner.

Testing heading 4

GraphOS offers varying levels of safelist restrictions that enable incremental adoption and flexibility in development environments without sacrificing security in production. The audit-only configuration gives teams a frictionless way to get started with safelisting by logging unknown operation shapes without terminating the request. Meanwhile, production environments demanding maximum security and performance can use an ID-only configuration to accept only requests with a known hash, terminating all others.

Another test heading

Meanwhile, production environments demanding maximum security and performance can use an ID-only configuration to accept only requests with a known hash, terminating all others.

How safelisting works in GraphOS

Nearly all APIs are designed to serve a finite set of first-party client apps, and, by their very nature, GraphQL services are aware of the shape of data requested by those applications. In this closed development ecosystem, we have the tools to implement a GraphQL gateway that significantly limits surface area by only allowing known operations from our first-party apps.

Reject malicious traffic at the edge

Generally, you should configure your router to be more restrictive in production environments and less restrictive in development environments, but your particular use case and GraphQL client may limit how restrictive your router can be. GraphOS offers the ability to enforce more severe or less severe safelisting restrictions depending on your use case.

Reject malicious traffic at the edge even more

Generally, you should configure your router to be more restrictive in production environments and less restrictive in development environments, but your particular use case and GraphQL client may limit how restrictive your router can be. GraphOS offers the ability to enforce more severe or less severe safelisting restrictions depending on your use case.

Maximize security and performance with ID-only operations

ID-only operations are the most restrictive, but they also are the most efficient since the router can avoid processing any complex, freeform query strings (similar to automatic persisted query caching). In this mode, clients are required to send requests to the router with only a unique persisted query ID which the router can use to identify the requested operation. The router will reject any requests with an invalid ID or a freeform query string.

• Simple, boolean “loading” and “error” states for each query

• Retries for your failed queries, with optional exponential back-off and jittering

• Simple polling for keeping queries in sync with your backend

• Build infinitely scrolling lists or paginate data

• Enable optimistic updates so that your UI updates instantly when you make a mutation, even if the server still hasn’t confirmed it. If there’s an error later on, Apollo automatically rolls back the optimistic UI update.