Skip to content

Security

Rhys Bartels-Waller edited this page Jul 23, 2021 · 5 revisions

CORS

The HTTP server allows requests from all origins by default. It's recommended to limit GraphQL Server access to known origins, protecting against unexpected load.

ENV ALLOWED_ORIGINS maps to the Express CorsOptions.origin which sets the Access-Control-Allow-Origin CORS header. The following type is compatible:

boolean | string | RegExp | (string | RegExp)[]

Examples

Single client

ALLOWED_ORIGINS=https://my-app.com

Result Limits

Query result sets have a limit and require pagination using offset arguments. A default limit of 2500 is applied to each query in Hasura metadata.

Depth Limit

A configurable node depth limit prevents an highly nested query that would otherwise not be limited.

QUERY_DEPTH_LIMIT=3
{
  blocks { # No limit provided, so default applies
    previousBlock {
      previousBlock {
        previousBlock { ## Now invalid
           previousBlock {
             id
           }
        }
      }
    }
  }
}

Query Complexity Limit

The server can reject queries that are overly complex, which is determined by the addition of pre-determined costs of returning each field. You can control this limit using MAX_QUERY_COMPLEXITY, to either tighten or relax the default of 5000. It's also possible to provide a custom complexity plan if using the API packages in an existing server.