Skip to content

feat: integrate GraphQL Armor for alias query removal and multiple qu… #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ramlino wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: integrate GraphQL Armor for alias query removal and multiple qu… #1

ramlino wants to merge 1 commit into from

Conversation

@ramlino
Copy link

@ramlino ramlino commented Jun 30, 2025

…ery limiting

  • Add GraphQL Armor integration to GraphqlExpress infrastructure
  • Implement alias query blocking with maxAliases: 0 by default
  • Add query complexity limits (maxDepth, maxCost, maxDirectives, maxArguments)
  • Integrate logger for security violation logging
  • Add comprehensive test suite for GraphQL Armor features
  • Update README with Armor configuration examples
  • Add test scripts for running Armor-specific tests
  • Fix logger integration in Armor error handling

Security Features:

  • Disable GraphQL aliases completely (prevents query batching attacks)
  • Limit query depth and complexity
  • Block field suggestions and introspection in production
  • Custom error handling for security violations
  • Production and development configuration presets

@ramlino
feat: integrate GraphQL Armor for alias query removal and multiple qu…
c00ad02 
…ery limiting

- Add GraphQL Armor integration to GraphqlExpress infrastructure
- Implement alias query blocking with maxAliases: 0 by default
- Add query complexity limits (maxDepth, maxCost, maxDirectives, maxArguments)
- Integrate logger for security violation logging
- Add comprehensive test suite for GraphQL Armor features
- Update README with Armor configuration examples
- Add test scripts for running Armor-specific tests
- Fix logger integration in Armor error handling

Security Features:
- Disable GraphQL aliases completely (prevents query batching attacks)
- Limit query depth and complexity
- Block field suggestions and introspection in production
- Custom error handling for security violations
- Production and development configuration presets
aronStein
aronStein reviewed Jun 30, 2025
View reviewed changes
README.md
Copy link
Collaborator

@aronStein aronStein Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a version for the @escape.tech/graphql-armor@^3 module to keep track of and understand which version was tested and works perfectly with it.

and there's no need to elaborate on the explanation in the "using AutoLoad" example.

infrastructures/graphql-express.js
Copy link
Collaborator

@aronStein aronStein Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a version for the @escape.tech/graphql-armor@^3 module to keep track of and understand which version was tested and works perfectly with it.

Please add documentation, in the form of /** * Config Armor plugin */, to the section regarding Armor settings.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aronStein aronStein aronStein left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ramlino @aronStein