Skip to Content
DocsSecurityFilters

Security Filters

Security Filters are a Stellate’s security solution designed specifically for GraphQL APIs to protect against common vulnerabilities and attacks. It provides granular control over API access and data validation.

Security Filters implements sophisticated rules by expecting the HTTP payloads that are GraphQL spec compliant. It provides extra rules to prevent GraphQL-related threats that can cause denial-of-service or memory exhaustion, safeguarding your origin servers from harm, ensuring their uninterrupted operation. It does so by offering configurable options in your Stellate service to limit query structure at request level.

As GraphQL opens up additional threats that can be exploited by external parties, Security Filters act as a shield, preventing unauthorized access.

💡

Security Filters are particularly useful when you are unable to use persisted operations for any reason. It provides an extra security configuration layer for your APIs.

Beyond the standard protection

Stellate Security Filters go beyond the standard protection offered by traditional WAFs by specifically targeting GraphQL-related vulnerabilities. This approach provides a more comprehensive and tailored security solution for your GraphQL APIs, enabling you to confidently protect your data and resources.

Security Filters enhance the security of your GraphQL queries by filtering and blocking HTTP traffic. Stellate Security Filters ensure payload adherence to the GraphQL specification, mitigating potential threats from external parties. We apply sophisticated security limits and rules designed for GraphQL.

Integration of these security features into your Stellate Service configurations can significantly enhance system resilience against potential threats, mitigating potential risks and keeping your APIs secure.

Security Filters Benefits

Stellate Security Filters provide the following benefits:

Protection against Attacks

Stellate Security Filters provide defense against common vulnerabilities.

Enhanced Security

By implementing Security Filters, GraphQL users can strengthen the security of their APIs and prevent unauthorized access or malicious activities.

Compliance

Security Filters help users meet compliance requirements by offering protection against security vulnerabilities and ensuring data privacy.

With Stellate Security Filters, your GraphQL queries are filtered and blocked effectively, mitigating potential risks and keeping your APIs secure.

💡

Consider a scenario where a product is linked to a brand, and these brands, in turn, have linked products. To prevent malicious attempts at fetching excessively nested data, engineers can set a depth limit within the Security Filters settings. Queries exceeding this depth will trigger an error, establishing a robust defense against potential data exploitation.

Get Started

You can configure Security Filters options in the Stellate Dashboard. The Dashboard allows you to set up and easily manage security settings.

Diagram presenting "Security Filters options"

To configure Security Filters options in the Stellate Dashboard, login to your Stellate account and perform the following steps:

  1. Navigate to your Stellate Services and click on the Service that you want to work with. ****
  2. Click on the Config tab and select Security in the left navigation bar.
  3. Review the options under Security Limits and toggle the security settings that you want to enable.
  4. Enter the limits and select Apply.

Types of Security Filters options

This is also useful if you cannot use persisted operations You can set the following Security Filters options:

Depth Limit

This filter enables you to set the maximum depth for your GraphQL levels. This configuration provides error messages if you exceed the maximum limit for your depth levels. By configuring the depth limit, potential exploitation of deeply nested data can be mitigated.

Body Limit

This filter lets you set a maximum size for the GraphQL request payload. For POST requests this is the body size, for GET requests the query component of the URI

Mask suggestions in Errors

This filter provides security when you have GraphQL server implementations that can open up the potential to explore your schema by sending arbitrary queries, and expose your schema information. Setting this option to mask will result in an output of MASKED and prevents the leaking of information when you have the introspection schema disabled.

Alias Limit

This filter lets you limit the number of aliases that you can use in your GraphQL query. Stellate Security Filters also facilitate control over pagination by restricting the number of aliases allowed. This is particularly useful for managing server load and resource consumption, as it limits the number of batches a user can request. Stellate Security Filters not only provide a defense against deep nesting and excessive pagination but equips GraphQL services with tools to manage directive usage efficiently.

Directive Limit

This operation lets you limit the number of directives that you can use in your GraphQL query. There are a number of directives that are considered legitimate usage, and you can define how many those are. Setting a directive limit addresses potential stress on the server caused by the misuse of directives. By controlling the usage of directives, especially custom ones, Security Filters prevent unnecessary burden on the server during query evaluation. Configuring the maximum allowed directives offers a straightforward solution to this concern.

Configure using Editor

You can easily modify Security Filters options through Config level settings, based on your specific requirements. There are several types of Security Filters security limits that you can set.

Diagram presenting "Setting security filters in Config Editor"

To configure Security Filters options in the Stellate Config Editor, login to your Stellate account and perform the following steps:

  1. Navigate to your Stellate Services and click on the Service that you want to work with. ****

  2. Click on the Config tab to open the Config Editor.

  3. In the Config Editor, enter the security:{ key and configure your security rules. You can define the following types of security options:

    depth: { max: <numerical value>, enabled: true } Set the maximum depth for your GraphQL levels.

    aliases: { max: <numerical value>, enabled: true } Limit the number of aliases that you can use in your GraphQL query.

    requestSize: { max: <numerical value>, enabled: true } Limit the request size (the number of characters or bytes) of your GraphQL query.

    directives: { max: <numerical value>, enabled: true } Limit the number of directives that you can use in your GraphQL query.

    suggestionsInErrors: { mode: 'mask', enabled: true }: Set this filter to mask to prevent information leaks, when the introspection schema is disabled.

    You can also use the CLI in your continuous integrations (CI) process to set these security limits.

Validate your configuration

The Stellate Config Editor enables you to validate your configured security rules in real time. When you enter aliases, directives or any other option in your query and set up some security rules, when you run the GraphQL request, you will immediately get a response. This can either be an error if you have exceeded the configured security limits or results, if not.

Last updated on
OverviewOverview