Improved Security with GraphQL Armor support for Yoga Server 2

We are utterly excited to introduce GraphQL Armor (opens in a new tab) compatibility with Yoga 2.
When the GraphQL Ecosystem Encounters Security
A few weeks ago, the GraphQL Security company Escape (opens in a new tab) released GraphQL Armor, an open-source middleware to add a security layer on top of GraphQL endpoints and mitigate common attacks.
GraphQL Armor blocks abusive requests by putting reasonable and clever limits to Queries. To us, this represents the go-to solution when using persisted operations (opens in a new tab) is not possible, like when building a public GraphQL API. Also, even if you are building an internal API, these tools can be handy for preventing too heavy GraphQL queries. This technical approach is also complementary to the existing set of plugins for hardening endpoints:
- GraphQL Authz and use-operation-field-permissions (opens in a new tab) for Access Control & Business logic
- use-generic-auth (opens in a new tab) and use-auth0 (opens in a new tab) for Authorization
Thus, we decided to work together with Escape's team to continuously improve security standards and defaults for the Yoga and GraphQL community.
Why couldn't you have production security best practices in Yoga by default?
What Do You Get by Using GraphQL Armor?
Armor comes out of the box with a set of plugins that applies security best practices to any production GraphQL Server:
- Aliases Limit
- Character Limit
- Cost Limit
- Depth Limit
- Directives Limit
- Disabled Field Suggestion
More rules are added weekly. And we are more than open to feedback and contributions!
Note that the default configuration has been designed with conservation in mind: Adding Armor to a production project should not interfere with legitimate requests out of the box.
How Does It Look like to Use GraphQL Armor with Yoga?
GraphQL Armor relies on Envelop plugins for its security rules.
Getting started is dead-simple: npm install -S @escape.tech/graphql-armor
(or
yarn add @escape.tech/graphql-armor
)
Then let's take a minimalistic Yoga server:
import { createServer } from '@graphql-yoga/node'
import { schema } from './schema'
export function initServer() {
const server = createServer({
schema
})
return server
}
Adding GraphQL armor is just a matter of adding a few envelop plugins:
import { EnvelopArmor } from '@escape.tech/graphql-armor'
import { createServer } from '@graphql-yoga/node'
import { schema } from './schema'
const armor = new EnvelopArmor()
const enhancements = armor.protect()
export function initServer() {
const server = createServer({
schema,
plugins: [...enhancements.plugins]
})
return server
}
This example can be found in our example repository github.com/dotansimha/graphql-yoga (opens in a new tab)
Join Us in Building the Future of GraphQL Security
Escape's team is actively working on improving Armor and its support for Yoga Server This is just the start of a great collaboration between our teams to ensure better security for the whole GraphQL ecosystem. There is much more to come! Feel free to come on Armor's GitHub to ⭐ star, 🗣️ discuss, 🎉 ask them for new features, and more:
github.com/Escape-Technologies/graphql-armor (opens in a new tab)
Talk to you soon! 🤟
Join our newsletter
Want to hear from us when there's something new? Sign up and stay up to date!
By subscribing, you agree with Beehiiv’s Terms of Service and Privacy Policy.
Recent issues of our newsletterSimilar articles

State of GraphQL Gateways in 2023
A six-month journey of researching, benchmarking, exploring and comparing GraphQL gateways and the Federation spec in 2023.

Hive Summer Update 2023
Learn what is new on GraphQL Hive, we have shipped a lot of new exciting features and improvements.

The complete GraphQL Scalar Guide
Knowing how native and custom GraphQL Scalar works enables building flexible and extendable GraphQL schema.

Build a GraphQL server running on Cloudflare Workers.
This course aims to build a practical GraphQL server on Cloudflare Workers using GraphQL Yoga, Pothos, Kysely, etc.