Improved Security with GraphQL Armor support for Yoga Server 2
We are utterly excited to introduce GraphQL Armor compatibility with Yoga 2.
When the GraphQL Ecosystem Encounters Security
A few weeks ago, the GraphQL Security company Escape released GraphQL Armor, an open-source middleware to add a security layer on top of GraphQL endpoints and mitigate common attacks.
GraphQL Armor blocks abusive requests by putting reasonable and clever limits to Queries. To us, this represents the go-to solution when using persisted operations is not possible, like when building a public GraphQL API. Also, even if you are building an internal API, these tools can be handy for preventing too heavy GraphQL queries. This technical approach is also complementary to the existing set of plugins for hardening endpoints:
- GraphQL Authz and use-operation-field-permissions for Access Control & Business logic
- use-generic-auth and use-auth0 for Authorization
Thus, we decided to work together with Escape’s team to continuously improve security standards and defaults for the Yoga and GraphQL community.
Why couldn’t you have production security best practices in Yoga by default?
What Do You Get by Using GraphQL Armor?
Armor comes out of the box with a set of plugins that applies security best practices to any production GraphQL Server:
- Aliases Limit
- Character Limit
- Cost Limit
- Depth Limit
- Directives Limit
- Disabled Field Suggestion
More rules are added weekly. And we are more than open to feedback and contributions!
Note that the default configuration has been designed with conservation in mind: Adding Armor to a production project should not interfere with legitimate requests out of the box.
How Does It Look like to Use GraphQL Armor with Yoga?
GraphQL Armor relies on Envelop plugins for its security rules.
Getting started is dead-simple: npm install -S @escape.tech/graphql-armor (or
yarn add @escape.tech/graphql-armor)
Then let’s take a minimalistic Yoga server:
import { createServer } from '@graphql-yoga/node'
import { schema } from './schema'
export function initServer() {
const server = createServer({
schema
})
return server
}Adding GraphQL armor is just a matter of adding a few envelop plugins:
import { EnvelopArmor } from '@escape.tech/graphql-armor'
import { createServer } from '@graphql-yoga/node'
import { schema } from './schema'
const armor = new EnvelopArmor()
const enhancements = armor.protect()
export function initServer() {
const server = createServer({
schema,
plugins: [...enhancements.plugins]
})
return server
}This example can be found in our example repository github.com/dotansimha/graphql-yoga
Join Us in Building the Future of GraphQL Security
Escape’s team is actively working on improving Armor and its support for Yoga Server This is just the start of a great collaboration between our teams to ensure better security for the whole GraphQL ecosystem. There is much more to come! Feel free to come on Armor’s GitHub to ⭐ star, 🗣️ discuss, 🎉 ask them for new features, and more:
github.com/Escape-Technologies/graphql-armor
Talk to you soon! 🤟
Join our newsletter
Want to hear from us when there's something new? Sign up and stay up to date!
By subscribing, you agree with Beehiiv’s Terms of Service and Privacy Policy.
Recent issues of our newsletterSimilar articles
Announcing Accounts.js 1.0 Release Candidate
Introducing Accounts.js 1.0 Release Candidate, an end to end authentication and accounts management solution.
Building Open Source GraphQL Security
Learn how open-source boosts GraphQL security and explore defensive and offensive tools, resources, and best practices to protect your GraphQL APIs.
Open Source composition and validation library for Apollo Federation
Introducing MIT licensed drop-in replacement for the Apollo Federation composition library.
GraphQLConf 2023 Recap
Explore the highlights of GraphQLConf 2023. Learn about the latest trends in GraphQL, from gateway solutions to composite schemas and innovative projects.