Section – GraphQL

Section - GraphQL Reverse Proxy
  • GraphQL queries, variables and operation names can be extracted from different sources:
  • HTTP query parameters
  • JSON bodies
  • Bodies of content type application/graphql



Enable parser

GraphQL-related traffic is parsed and checked for correct syntax when enabled. All other options like Log only and Enforce schema are only applied if GraphQL parsing is enabled.

Log only

GraphQL requests are checked in Log only mode, but no blocks are enforced based on GraphQL checks.

Note that with the option Check values with deny rules enabled, the Security gate can (still) block GraphQL requests based on the current deny rules. Use Policy Learning to create deny rule exceptions if required. See article GraphQL integration for more information.

Allow mutations

When enabled, GraphQL mutations are allowed.

Allow introspection

When enabled, GraphQL introspections are allowed.

Check values with deny rules

Values in GraphQL requests are checked against the deny rules when enabled. Deny rule exceptions can be created using Policy Learning.

Enforce schema

GraphQL requests are checked against the selected Schema when enabled. Requests are blocked if they are not compliant with the uploaded schema. A GraphQL schema must be selected before this option can be enabled.


A GraphQL schema can be selected and uploaded to validate requests. See GraphQL schema configuration for adding a new schema.