Improved Security with GraphQL Armor support for Yoga Server 2

Laurin QuastWednesday, Aug 24th 2022

Looking for experts? We offer consulting and trainings.
Explore our services and get in touch.

We are utterly excited to introduce GraphQL Armor (opens in a new tab) compatibility with Yoga 2.

When the GraphQL Ecosystem Encounters Security

A few weeks ago, the GraphQL Security company Escape (opens in a new tab) released GraphQL Armor, an open-source middleware to add a security layer on top of GraphQL endpoints and mitigate common attacks.

GraphQL Armor blocks abusive requests by putting reasonable and clever limits to Queries. To us, this represents the go-to solution when using persisted operations (opens in a new tab) is not possible, like when building a public GraphQL API. Also, even if you are building an internal API, these tools can be handy for preventing too heavy GraphQL queries. This technical approach is also complementary to the existing set of plugins for hardening endpoints:

GraphQL Authz and use-operation-field-permissions (opens in a new tab) for Access Control & Business logic
use-generic-auth (opens in a new tab) and use-auth0 (opens in a new tab) for Authorization

Thus, we decided to work together with Escape's team to continuously improve security standards and defaults for the Yoga and GraphQL community.

Why couldn't you have production security best practices in Yoga by default?

What Do You Get by Using GraphQL Armor?

Armor comes out of the box with a set of plugins that applies security best practices to any production GraphQL Server:

Aliases Limit
Character Limit
Cost Limit
Depth Limit
Directives Limit
Disabled Field Suggestion

More rules are added weekly. And we are more than open to feedback and contributions!

Note that the default configuration has been designed with conservation in mind: Adding Armor to a production project should not interfere with legitimate requests out of the box.

How Does It Look like to Use GraphQL Armor with Yoga?

GraphQL Armor relies on Envelop plugins for its security rules.

Getting started is dead-simple: npm install -S @escape.tech/graphql-armor (or yarn add @escape.tech/graphql-armor)

Then let's take a minimalistic Yoga server:

import { createServer } from '@graphql-yoga/node'
 
import { schema } from './schema'
 
export function initServer() {
  const server = createServer({
    schema
  })
  return server
}

Adding GraphQL armor is just a matter of adding a few envelop plugins:

import { EnvelopArmor } from '@escape.tech/graphql-armor'
import { createServer } from '@graphql-yoga/node'
 
import { schema } from './schema'
 
const armor = new EnvelopArmor()
const enhancements = armor.protect()
 
export function initServer() {
  const server = createServer({
    schema,
    plugins: [...enhancements.plugins]
  })
  return server
}

This example can be found in our example repository github.com/dotansimha/graphql-yoga (opens in a new tab)

Join Us in Building the Future of GraphQL Security

Escape's team is actively working on improving Armor and its support for Yoga Server This is just the start of a great collaboration between our teams to ensure better security for the whole GraphQL ecosystem. There is much more to come! Feel free to come on Armor's GitHub to ⭐ star, 🗣️ discuss, 🎉 ask them for new features, and more:

github.com/Escape-Technologies/graphql-armor (opens in a new tab)

Talk to you soon! 🤟

Announcing self-hosted GraphQL Hive JavaScript runs everywhere, so should your servers - here is how