Depth Limiting
One harmful aspect of the malicious query above is the nesting, classified by its depth, which makes the query exponentially more expensive. Each layer adds a lot more work for your backend, which can quickly add up when combined with lists.

We looked around and found graphql-depth-limit, a lovely module by Andrew Carlson, which enables us to easily limit the maximum depth of incoming queries.

#security #graphql #graphql api #malicious queries