2. Operation Limits
10m

Overview

In this module, we will cover how we can set limits in our incoming queries to protect our backend resources.

Operation limits

To ensure that we have the proper protection against malicious (or ill-formed) queries, we need to have some -specific safeguards in place. For this, we will use a feature of called operation limits.

limits prevents running queries that put excess strain on our service. We can place height, depth, and limits on our via our configuration.

We can configure the following properties:

  • max_height: Limits the number of unique included in an , including fields of . If a particular field is included multiple times via , it's counted only once.
  • max_depth: Limits the deepest nesting of in an , including in .
  • max_aliases: Limits the total number of in an , including fields of .
  • max_root_fields: Limits the number of root in an , including root fields in . If a particular root field is included multiple times via , each usage is counted.

The current state

Let's run a complex against our .

  1. Open up Studio and navigate to the Explorer.

  2. We want to run a that has a height greater than 10. Here is a good example to run:

    A query with a lot of height
    query ALotOfHeight {
      getFeaturedProducts {
        description
        featured
        id
        images
        name
        price
        shortDescription
        sku
        variants {
          colorway
          id
          inStock
          price
          size
        }
      }
    }

  3. We should get data back!

    https://studio.apollographql.com

    Studio view of Explorer with successful query result

Configuring operation limits

  1. In the GitHub repo, navigate to the router folder and open up the router.yaml file

  2. Add the following lines into the router.yaml file to enable limits:

    limits:
      max_depth: 5
      max_height: 10
      max_aliases: 3

    This will instruct the to block any requests that exceed these limits.

  3. Commit the changes

    https://github.com

    GitHub view of editing the router.yaml with commit button highlighted

Check your work

  1. Navigate back to Studio and open up the Explorer

  2. Run the same as before:

    A query with a lot of height
    query ALotOfHeight {
      getFeaturedProducts {
        description
        featured
        id
        images
        name
        price
        shortDescription
        sku
        variants {
          colorway
          id
          inStock
          price
          size
        }
      }
    }

  3. With our limits in place, we should see the fail with the error code MAX_HEIGHT_LIMIT and the message Maximum height (field count) limit exceeded in this operation

    https://studio.apollographql.com

    Studio view of Explorer with failed query result

Feel free to play with other queries that exceed our new limits. Our is now more secure, and all it took was a few lines of configuration!

Operation limits checklist

Up next

In the next module, we'll lock down what type of queries can be executed against our so that only pre-approved queries can be run.

Previous