GraphQL Protection

Protect GraphQL APIs from abuse with query depth limiting, cost analysis, alias flooding prevention, and introspection control — all enforced at the gateway before reaching your backend.

Why It Matters

GraphQL's flexible query language is a double-edged sword. A single malicious query can trigger thousands of database calls, exhaust memory, or leak your entire schema. Nolxy analyzes every GraphQL request in a single O(n) pass before it reaches your backend.

Protection Rules

Max Query Depthdefault: 10

Prevents deeply nested queries that cause N+1 database explosions. Example: user { posts { comments { author { posts { ... } } } } }.

Max Query Costdefault: 1000

Assigns a cost score to each field. Mutations and subscriptions cost more than queries. Rejects queries that exceed the budget.

Max Aliasesdefault: 30

Limits the number of field aliases per query. Alias flooding is a common DoS vector that bypasses rate limiting.

Max Root Fieldsdefault: 10

Limits the number of top-level fields in a single query.

Block Introspectiondefault: false

Disables __schema and __type queries. Recommended in production to prevent schema enumeration.

Configuration Example

Configure GraphQL protection per-route in your route settings:

{
  "graphqlProtection": {
    "maxDepth": 8,
    "maxCost": 500,
    "maxAliases": 15,
    "maxRootFields": 5,
    "blockIntrospection": true
  }
}

Error Response

When a query is rejected, Nolxy returns a standard GraphQL error response:

HTTP/1.1 400 Bad Request
Content-Type: application/json

{
  "errors": [
    {
      "message": "Query depth 12 exceeds maximum 8",
      "extensions": { "code": "QUERY_DEPTH_EXCEEDED" }
    }
  ]
}

Performance & Correctness

Analysis runs in a single O(n) pass with no external GraphQL parser. Results are cached by query fingerprint (FNV-1a hash) in an LRU cache of 5,000 entries with a 5-minute TTL. Repeated identical queries are analyzed in under 1 microsecond.

Block String Support — The gateway parser specifically handles """ block string syntax, ensuring depth analysis and security rules remain accurate even when queries contain large multi-line text blocks.

Plan Requirements

GraphQL Protection is available on Pro plans and above.

WebSocket ProxyingTraffic Splitting