Check GraphQL-over-HTTP requests, enforcing several limits and/or restrictions. This effectively helps to reduce the attack surface.

GraphQL Specification "October2021" is used. (But GraphQL only covers formulation of Documents/Queries.)

GraphQL-over-HTTP, which specifies how to submit GraphQL queries via HTTP, has not been released/finalized yet. We therefore use Version a1e6d8ca.

Only GraphQL documents conforming to the 'ExecutableDocument' of the grammar are allowed: This includes the usual 'query', 'mutation', 'subscription' and 'fragment's.

Syntax

graphQLProtection:
  '$ref': <string>
  allowedMethods: <string>
  allowExtensions: <boolean>
  disallow:
    - <filters>
  maxDepth: <number>
  maxMutations: <number>
  maxRecursion: <number>

graphQLProtection:
  '$ref': <string>
  allowedMethods: <string>
  allowExtensions: <boolean>
  disallow:
    - <filters>
  maxDepth: <number>
  maxMutations: <number>
  maxRecursion: <number>

Attributes

Name	Required	Default	Description	Examples
$ref	false	-	Reference a component defined under components.	-
allowedMethods	false	GET, POST	Which HTTP methods to allow. Note that per the GraphQL-over-HTTP spec, you need POST for mutation or subscription queries.	-
allowExtensions	false	false	Whether to allow GraphQL "extensions".	true
maxDepth	false	7	How deep queries can be nested.	-
maxMutations	false	5	Limit how many mutations can be defined in a document query.	2
maxRecursion	false	3	How deep recursive parts of queries can be nested.	-

Child Structure

Element	Cardinality	Description
filters	0..*

Can be used in

abort api case chain components for global if interceptor internal otherwise proxy registration request response serviceProxy soapProxy stompProxy time transport wsStompReassembler