GraphQL integration

  • GraphQL queries, variables and operation names can be extracted from different sources:
  • HTTP query parameters
  • JSON bodies
  • Bodies of content type application/graphql

Step 1 of this article describes a simple GraphQL example integration with limits configuration and request-check against deny rules. This part covers the basic configuration.

Step 2 of this article describes how to create exceptions using policy learning. This requires working with log messages to find and eliminate the cause of problems.

Step 1 – Configure GraphQL and Limits

Start by activating the Log only mode in the GraphQL enforcement settings on the mapping detail page to collect a reasonable number of logs in preparation.

  1. Go to:
    Application Firewall >> API Security >> section GraphQL
  2. Upload a GraphQL schema that is compatible with GraphQL schema definition (Oct. 2021).
  3. Change to:
    Application Firewall >> Reverse Proxy and choose a mapping for editing.
  4. On the mapping detail page, select the tab API Security.
  5. In the GraphQL section, enable the following options:
    • Enable parser
    • Log only
    • Check values with deny rules
    • Enforce schema (and select the uploaded GraphQL schema)
  6. Change to the Limits tab and enable GraphQL Limits checks.
    • Set the limit values carefully to minimize the risk of DoS attacks – we recommend using the default values as a starting point.
    • Consider reducing the Max query nesting depth if you notice high loads on your target system due to GraphQL requests.
  7. Activate the new configuration.
  8. GraphQL requests may now generate log messages (even blocks caused by deny rules) with the parameter name #graphql#.

Step 2 – Create deny rule exceptions using policy learning

In Log only mode and with the settings above, GraphQL-related checks like syntax errors will not lead to blocks. However, with Check values with deny rules enabled, the Security Gate still enforces the current deny rules. If you encounter false positives, use the Policy Learning feature to create exceptions to deny rules.

  1. Got to:
    Application Firewall >> Policy Learning
  2. If the GraqhQL query is sent in a JSON body, check for JSON blocks and create deny rule exceptions as required. Look for blocks with parameter name #json#.
  3. OR

  4. If the GraqhQL query is sent in query parameters, check for blocks with the query parameter names query, variables , or operationName and create deny rule exceptions as required.
  5. To check for GraphQL blocks, look for blocks with parameter name #graphql# and create GraphQL deny rule exceptions as required.
  6. Activate the new configuration.
  7. Re-check the log messages and disable the GraphQL log-only mode on the mapping when the logs don't show false positives.