-
Notifications
You must be signed in to change notification settings - Fork 104
Security
The HTTP server allows requests from all origins by default. It's recommended to limit GraphQL Server access to known origins, protecting against unexpected load.
ENV ALLOWED_ORIGINS
maps to the Express CorsOptions.origin
which sets the Access-Control-Allow-Origin CORS header. The following type is compatible:
boolean | string | RegExp | (string | RegExp)[]
ALLOWED_ORIGINS=https://my-app.com
Query result sets have a limit
and require pagination using offset
arguments. A default limit of 2500 is applied to each query in Hasura metadata.
A configurable node depth limit prevents an highly nested query that would otherwise not be limited.
QUERY_DEPTH_LIMIT=3
{
blocks { # No limit provided, so default applies
previousBlock {
previousBlock {
previousBlock { ## Now invalid
previousBlock {
id
}
}
}
}
}
}
The server can reject queries that are overly complex, which is determined by the addition of pre-determined costs of returning each field. You can control this limit using MAX_QUERY_COMPLEXITY
, to either tighten or relax the default of 5000
. It's also possible to provide a custom complexity plan if using the API packages in an existing server.