DEV Community

Cover image for Improved Security with GraphQL Armor support for Yoga Server 2
TheGuildBot for The Guild

Posted on • Updated on • Originally published at the-guild.dev

Improved Security with GraphQL Armor support for Yoga Server 2

This article was published on Wednesday, August 24, 2022 by Laurin Quast @ The Guild Blog

We are utterly excited to introduce
GraphQL Armor compatibility with Yoga 2.

When the GraphQL Ecosystem Encounters Security

A few weeks ago, the GraphQL Security company Escape released GraphQL Armor,
an open-source middleware to add a security layer on top of GraphQL endpoints and mitigate common
attacks.

GraphQL Armor blocks abusive requests by putting reasonable and clever limits to Queries. To us,
this represents the go-to solution when using
persisted operations is not possible, like
when building a public GraphQL API. Also, even if you are building an internal API, these tools can
be handy for preventing too heavy GraphQL queries. This technical approach is also complementary to
the existing set of plugins for hardening endpoints:

Thus, we decided to work together with Escape's team to continuously improve security standards and
defaults for the Yoga and GraphQL community.

Why couldn't you have production security best practices in Yoga by default?

What Do You Get by Using GraphQL Armor?

Armor comes out of the box with a set of plugins that applies security best practices to any
production GraphQL Server:

  • Aliases Limit
  • Character Limit
  • Cost Limit
  • Depth Limit
  • Directives Limit
  • Disabled Field Suggestion

More rules are added weekly. And we are more than open to feedback and contributions!

Note that the default configuration has been designed with conservation in mind: Adding Armor to a
production project should not interfere with legitimate requests out of the box.

How Does It Look like to Use GraphQL Armor with Yoga?

GraphQL Armor relies on Envelop plugins for its security rules.

Getting started is dead-simple: npm install -S @escape.tech/graphql-armor (or
yarn add @escape.tech/graphql-armor)

Then let's take a minimalistic Yoga server:

import { createServer } from '@graphql-yoga/node'
import { schema } from './schema'

export function initServer() {
  const server = createServer({
    schema
  })
  return server
}
Enter fullscreen mode Exit fullscreen mode

Adding GraphQL armor is just a matter of adding a few envelop plugins:

import { EnvelopArmor } from '@escape.tech/graphql-armor'
import { createServer } from '@graphql-yoga/node'
import { schema } from './schema'

const armor = new EnvelopArmor()
const enhancements = armor.protect()

export function initServer() {
  const server = createServer({
    schema,
    plugins: [...enhancements.plugins]
  })
  return server
}
Enter fullscreen mode Exit fullscreen mode

This example can be found in our example repository
github.com/dotansimha/graphql-yoga

Join Us in Building the Future of GraphQL Security

Escape's team is actively working on improving Armor and its support for Yoga Server This is just
the start of a great collaboration between our teams to ensure better security for the whole GraphQL
ecosystem. There is much more to come! Feel free to come on Armor's GitHub to ⭐ star, 🗣️ discuss,
🎉 ask them for new features, and more:

github.com/Escape-Technologies/graphql-armor

Talk to you soon! 🤟

Top comments (0)