Improved Security with GraphQL Armor support for Yoga Server 2

Laurin Quast

We are utterly excited to introduce GraphQL Armor compatibility with Yoga 2.

When the GraphQL Ecosystem Encounters Security

A few weeks ago, the GraphQL Security company Escape released GraphQL Armor, an open-source middleware to add a security layer on top of GraphQL endpoints and mitigate common attacks.

GraphQL Armor blocks abusive requests by putting reasonable and clever limits to Queries. To us, this represents the go-to solution when using persisted operations is not possible, like when building a public GraphQL API. Also, even if you are building an internal API, these tools can be handy for preventing too heavy GraphQL queries. This technical approach is also complementary to the existing set of plugins for hardening endpoints:

Thus, we decided to work together with Escape’s team to continuously improve security standards and defaults for the Yoga and GraphQL community.

Why couldn’t you have production security best practices in Yoga by default?

What Do You Get by Using GraphQL Armor?

Armor comes out of the box with a set of plugins that applies security best practices to any production GraphQL Server:

  • Aliases Limit
  • Character Limit
  • Cost Limit
  • Depth Limit
  • Directives Limit
  • Disabled Field Suggestion

More rules are added weekly. And we are more than open to feedback and contributions!

Note that the default configuration has been designed with conservation in mind: Adding Armor to a production project should not interfere with legitimate requests out of the box.

How Does It Look like to Use GraphQL Armor with Yoga?

GraphQL Armor relies on Envelop plugins for its security rules.

Getting started is dead-simple: npm install -S (or yarn add

Then let’s take a minimalistic Yoga server:

import { createServer } from '@graphql-yoga/node'
import { schema } from './schema'
export function initServer() {
  const server = createServer({
  return server

Adding GraphQL armor is just a matter of adding a few envelop plugins:

import { EnvelopArmor } from ''
import { createServer } from '@graphql-yoga/node'
import { schema } from './schema'
const armor = new EnvelopArmor()
const enhancements = armor.protect()
export function initServer() {
  const server = createServer({
    plugins: [...enhancements.plugins]
  return server

This example can be found in our example repository

Join Us in Building the Future of GraphQL Security

Escape’s team is actively working on improving Armor and its support for Yoga Server This is just the start of a great collaboration between our teams to ensure better security for the whole GraphQL ecosystem. There is much more to come! Feel free to come on Armor’s GitHub to ⭐ star, 🗣️ discuss, 🎉 ask them for new features, and more:

Talk to you soon! 🤟

Join our newsletter

Want to hear from us when there's something new?
Sign up and stay up to date!

*By subscribing, you agree with Beehiiv’s Terms of Service and Privacy Policy.

Similar articles