Security Filters
Security Filters are a Stellate security solution designed specifically for GraphQL APIs to protect against common vulnerabilities and attacks. It provides granular control over API access and data validation.
Security Filters implements sophisticated rules by expecting the HTTP payloads that are GraphQL spec compliant. It provides extra rules to prevent GraphQL-related threats that can cause denial-of-service or memory exhaustion, safeguarding your origin servers from harm, ensuring their uninterrupted operation. It does so by offering configurable options in your Stellate service to limit query structure at request level.
As GraphQL opens up additional threats that can be exploited by external parties, Security Filters act as a shield, preventing unauthorized access.
Beyond the standard protection
Stellate Security Filters go beyond the standard protection offered by traditional WAFs by specifically targeting GraphQL-related vulnerabilities. This approach provides a more comprehensive and tailored security solution for your GraphQL APIs, enabling you to confidently protect your data and resources.
Security Filters enhance the security of your GraphQL queries by filtering and blocking HTTP traffic. Stellate Security Filters ensure payload adherence to the GraphQL specification, mitigating potential threats from external parties. We apply sophisticated security limits and rules designed for GraphQL.
Integration of these security features into your Stellate Service configurations can significantly enhance system resilience against potential threats, mitigating potential risks and keeping your APIs secure.
Security Filters benefits
Stellate Security Filters provide the following benefits:
- Protection against Attacks: Stellate Security Filters provide defense against common vulnerabilities.
- Enhanced Security: By implementing Security Filters, GraphQL users can strengthen the security of their APIs and prevent unauthorized access or malicious activities.
- Compliance: Security Filters help users meet compliance requirements by offering protection against security vulnerabilities and ensuring data privacy.
With Stellate Security Filters, your GraphQL queries are filtered and blocked effectively, mitigating potential risks and keeping your APIs secure.
Before you begin using Security Filters
To effectively use Stellate Security Filters you need familiarity with:
- Common web application vulnerabilities and attack vectors.
- GraphQL security best practices, such as input validation
Set Security Filters Dashboard options
You can configure Security Filters options in the Stellate Dashboard. The Dashboard allows you to set up and easily manage security settings.
To configure Security Filters options in the Stellate Dashboard, login to your Stellate account and perform the following steps:
- Navigate to your Stellate Services and click on the Service that you want to work with. ****
- Click on the Config tab and select Security in the left navigation bar.
- Review the options under Security Limits and toggle the security settings that you want to enable.
- Enter the limits and select Apply.
Types of Security Filters options
This is also useful if you cannot use persisted operations You can set the following Security Filters options:
- Depth Limit: This filter enables you to set the maximum depth for your GraphQL levels. This configuration provides error messages if you exceed the maximum limit for your depth levels. By configuring the depth limit, potential exploitation of deeply nested data can be mitigated.
- Body Limit: This filter lets you set a maximum size for the GraphQL request payload. For POST requests this is the body size, for GET requests the query component of the URI
- Mask suggestions in Errors: This filter provides security when you have GraphQL server implementations that can open up the potential to explore your schema by sending arbitrary queries, and expose your schema information. Setting this option to mask will result in an output of MASKED and prevents the leaking of information when you have the introspection schema disabled.
- Alias Limit: This filter lets you limit the number of aliases that you can use in your GraphQL query. Stellate Security Filters also facilitate control over pagination by restricting the number of aliases allowed. This is particularly useful for managing server load and resource consumption, as it limits the number of batches a user can request. Stellate Security Filters not only provide a defense against deep nesting and excessive pagination but equips GraphQL services with tools to manage directive usage efficiently. Directive Limit: This operation lets you limit the number of directives that you can use in your GraphQL query. There are a number of directives that are considered legitimate usage, and you can define how many those are. Setting a directive limit addresses potential stress on the server caused by the misuse of directives. By controlling the usage of directives, especially custom ones, Security Filters prevent unnecessary burden on the server during query evaluation. Configuring the maximum allowed directives offers a straightforward solution to this concern.
Once you set your Security Limit options, you can update and modify them in the UI. You can also use the Config Editor to view, modify or set those limits in the config file. You are not bound to just the UI or editor. The following example illustrates the Config File results when setting security limits for directives and depth.
Configure Security Filters options in the Config Editor
You can easily modify Security Filters options through Config level settings, based on your specific requirements. There are several types of Security Filters security limits that you can set.
To configure Security Filters options in the Stellate Config Editor, login to your Stellate account and perform the following steps:
-
Navigate to your Stellate Services and click on the Service that you want to work with. ****
-
Click on the Config tab to open the Config Editor.
-
In the Config Editor, enter the
security:{
key and configure your security rules. You can define the following types of security options:depth: { max: <numerical value>, enabled: true }
Set the maximum depth for your GraphQL levels.aliases: { max: <numerical value>, enabled: true }
Limit the number of aliases that you can use in your GraphQL query.requestSize: { max: <numerical value>, enabled: true }
Limit the request size (the number of characters or bytes) of your GraphQL query.directives: { max: <numerical value>, enabled: true }
Limit the number of directives that you can use in your GraphQL query.suggestionsInErrors: { mode: 'mask', enabled: true }:
Set this filter to mask to prevent information leaks, when the introspection schema is disabled.You can also use the CLI in your continuous integrations (CI) process to set these security limits.
Validate your configuration
The Stellate Config Editor enables you to validate your configured security rules in real time. When you enter aliases, directives or any other option in your query and set up some security rules, when you run the GraphQL request, you will immediately get a response. This can either be an error if you have exceeded the configured security limits or results, if not.