Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: strapi/documentation
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: main
Choose a base ref
...
head repository: QuentinN42/strapi
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: main
Choose a head ref
Can’t automatically merge. Don’t worry, you can still create the pull request.
  • 18 commits
  • 1 file changed
  • 4 contributors

Commits on Mar 22, 2023

  1. feat: add docs about graphql security

    Signed-off-by: QuentinN42 <quentin@lieumont.fr>
    QuentinN42 committed Mar 22, 2023

    Verified

    This commit was signed with the committer’s verified signature.
    QuentinN42 QuentinN42
    Copy the full SHA
    8947afc View commit details
  2. Fix grammar

    Co-authored-by: Ben Irvin <ben@innerdvations.com>
    pwizla and innerdvations authored Mar 22, 2023

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    67e81b8 View commit details
  3. Fix spelling

    Co-authored-by: Ben Irvin <ben@innerdvations.com>
    pwizla and innerdvations authored Mar 22, 2023

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    d1c5fd1 View commit details
  4. Add caps to Armor

    Co-authored-by: Ben Irvin <ben@innerdvations.com>
    QuentinN42 and innerdvations authored Mar 22, 2023

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    053eec2 View commit details
  5. typo

    Co-authored-by: Ben Irvin <ben@innerdvations.com>
    QuentinN42 and innerdvations authored Mar 22, 2023

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    760667a View commit details
  6. Simpler escape pargraph

    Co-authored-by: Ben Irvin <ben@innerdvations.com>
    QuentinN42 and innerdvations authored Mar 22, 2023

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    9b3757a View commit details
  7. clearer depth limit

    Co-authored-by: Ben Irvin <ben@innerdvations.com>
    QuentinN42 and innerdvations authored Mar 22, 2023

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    18dd441 View commit details
  8. refactor: wording

    Signed-off-by: QuentinN42 <quentin@lieumont.fr>
    QuentinN42 committed Mar 22, 2023

    Verified

    This commit was signed with the committer’s verified signature.
    QuentinN42 QuentinN42
    Copy the full SHA
    f3c2629 View commit details
  9. an example configuration

    Co-authored-by: Ben Irvin <ben@innerdvations.com>
    QuentinN42 and innerdvations authored Mar 22, 2023

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    c939b11 View commit details

Commits on Mar 24, 2023

  1. Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    4f558a2 View commit details
  2. docs: add armor with plugins

    Signed-off-by: QuentinN42 <quentin@lieumont.fr>
    QuentinN42 committed Mar 24, 2023

    Verified

    This commit was signed with the committer’s verified signature.
    QuentinN42 QuentinN42
    Copy the full SHA
    e1a4778 View commit details

Commits on Apr 6, 2023

  1. Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    210b2c8 View commit details
  2. Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    9fc739b View commit details
  3. Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    225b665 View commit details
  4. Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    88a30e5 View commit details
  5. Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    e118363 View commit details
  6. Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    b9333e2 View commit details
  7. Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    77100d9 View commit details
Showing with 82 additions and 0 deletions.
  1. +82 −0 docusaurus/docs/dev-docs/plugins/graphql.md
82 changes: 82 additions & 0 deletions docusaurus/docs/dev-docs/plugins/graphql.md
Original file line number Diff line number Diff line change
@@ -903,3 +903,85 @@ Using API tokens in the the GraphQL playground requires adding the authorization

Replace `<TOKEN>` with your API token generated in the Strapi Admin panel.
:::

## Security

GraphQL is a query language allowing users to use a broader panel of inputs than traditional REST APIs. GraphQL APIs are inherently prone to security risks, such as credential leakage and denial of service attacks, that can be reduced by taking appropriate precautions.


### Disable introspection and playground in production

In production environments, disabling the GraphQL Playground and the introspection query is recommended.
If you haven't edited the [configuration file](/dev-docs/configurations/plugins#graphql-configuration), it is already disabled in production by default.

### Limit max depth and complexity

A malicious user could send a query with a very high depth, which could overload your server. Use the `depthLimit` [configuration parameter](/dev-docs/configurations/plugins#graphql-configuration) to limit the maximum number of nested fields that can be queried in a single request. By default, `depthLimit` is set to 10 but can be set to a higher value during testing and development.



### Install graphql armor

[Graphql armor](https://github.com/Escape-Technologies/graphql-armor) is a GraphQL middleware that protects your GraphQL API from malicious queries.
Installing it is simple and prevents the most common attacks.

Here is an example configuration to protect your GraphQL API :

```js
const armor = require('@escape.tech/graphql-armor');
// GraphQL Armor installed via :
// npm install @escape.tech/graphql-armor

const ApolloArmor = new armor.ApolloArmor();
module.exports = {
graphql: {
config: {
apolloServer: {
introspection: false, // <-- your custom config
...ApolloArmor.protect() // <-- add armor protection
},
},
},
};
```

If you already have some plugins or validation rules, proceed this way:

```js
const armor = require('@escape.tech/graphql-armor');
// GraphQL Armor installed via :
// npm install @escape.tech/graphql-armor

const ApolloArmor = new armor.ApolloArmor();
const protection = armor.protect();
module.exports = {
graphql: {
config: {
apolloServer: {
introspection: false, // <-- your custom config
...protection, // <-- add armor protection
plugins: [...protection.plugins, myPlugin1, myPlugin2 ] // <-- add your plugins
validationRules: [ ...protection.validationRules, myRule ] // <-- add your validation rules
},
},
},
};
```

Read more about GraphQL Armor in their [dev documentation](https://escape.tech/graphql-armor/docs/getting-started).

### Continuous security testing

One of the best way to stop wondering about security for your API is to be able to scan it each time you deploy it into
staging or production environments. As you run your unit tests in your CI/CD pipeline, you can bullet-proof your GraphQL
application before it even reaches a production environment.

#### graphql.security

[graphql.security](https://graphql.security/) is a free, quick graphql security testing tool, allowing you to quickly assess the most common vulnerabilities in your application.

#### Escape

[Escape](https://escape.tech/) is a GraphQL security SaaS platform running an automated pentest tool that can be incorporated into your CI/CD pipeline such as Github Actions or Gitlab CIs

The security notifications will be automatically communicated to your CI/CD platform, enabling you to promptly attend to them.