GraphQL Protection
Protect GraphQL APIs from abuse by analyzing query complexity at the gateway layer. Prevent deeply nested queries and alias flooding before they reach your backend.
Quickstart
Add a graphqlProtection block to your route configuration to automatically reject queries that exceed a depth of 8 or a cost score of 500.
{
"graphqlProtection": {
"maxDepth": 8,
"maxCost": 500,
"maxAliases": 15,
"maxRootFields": 5,
"blockIntrospection": true
}
}Reference
| Field | Type | Default | Required | Description |
|---|---|---|---|---|
| maxDepth | integer | 10 | No | Maximum allowed nesting depth for a query. Prevents N+1 database explosions. |
| maxCost | integer | 1000 | No | Maximum total field cost. Mutations and subscriptions have higher default weights. |
| maxAliases | integer | 30 | No | Maximum number of field aliases allowing in a single query to prevent alias flooding DoS. |
| maxRootFields | integer | 10 | No | Maximum number of top-level queries/mutations inside a single request. |
| blockIntrospection | boolean | false | No | If true, flatly rejects __schema and __type queries to prevent schema enumeration in production. |
Examples
Production Strict Mode
A typical configuration for a production GraphQL endpoint that disables introspection and sets strict limits.
{
"graphqlProtection": {
"maxDepth": 5,
"maxCost": 250,
"blockIntrospection": true
}
}Common Errors
400 Bad Request
Query Complexity Exceeded
Fix: Nolxy returns a standard GraphQL error response when a query violates a limit. The client needs to simplify the query.
HTTP/1.1 400 Bad Request
Content-Type: application/json
{
"errors": [
{
"message": "Query depth 12 exceeds maximum 8",
"extensions": { "code": "QUERY_DEPTH_EXCEEDED" }
}
]
}Plan Requirements
GraphQL Protection is available on paid plans.