GraphQL Protect 🛡️

GraphQL Protect is dead-simple yet highly customizable security sidecar compatible with any HTTP GraphQL Server or Gateway.

This is repository inspired by the great work of the Javascript GraphQL Armor middleware.

Features

• Persisted Operations
• Block Field Suggestions
• Max Aliases
• Max Tokens
• Max Depth
• Max Batch
• Enforce POST
• Max Directives (coming soon)
• Cost Limit (coming soon)

Curious why you need these features? Check out this Excellent talk on GraphQL security on YouTube.

Installation

As Container

docker pull ghcr.io/ldebruijn/graphql-protect:latest
docker run -p 8080:8080 -v $(pwd)/protect.yml:/app/protect.yml -v $(pwd)/schema.graphql:/app/schema.graphql ghcr.io/ldebruijn/graphql-protect:latest

Make sure to portforward the right ports for your supplied configuration

Check out our run documentation for more concrete examples.

Source code

git clone git@github.com:ldebruijn/graphql-protect.git

Build & Test

    make build
    make test

Run Container

    make run_container

Documentation

Check out our extensive documentation, including configuration examples, detailed descriptions of each protection feature as well as deployment configuration examples.

Documentation

Configuration

We recommend configuring the binary using a yaml file, place a file called protect.yml in the same directory as you're running the binary.

For all the configuration options check out the Configuration Documentation

Alternatively graphql-protect can be configured using environment variables or command line arguments.

Contributing

Ensure you have read the Contributing Guide before contributing.

To set up your project, make sure you run the make dev.setup script.

git clone git@github.com:ldebruijn/graphql-protect.git
cd graphql-protect
make dev.setup