Query Depth Limiting

Sometimes persisted operations cannot be used. E.g. if you are building an API that is used by third party users. However, we can still apply some protection.

The maxDepth plugin allows a maximum nesting level an operation is allowed to have.

Getting Started

Install the plugin first;

npm i @escape.tech/graphql-armor-max-depth

Then configure it in your .meshrc.yml file.

plugins:
  - maxDepth:
      n: 10 # Number of depth allowed

This can prevent malicious API users executing GraphQL operations with deeply nested selection sets. You need to tweak the maximum depth an operation selection set is allowed to have based on your schema and needs, as it could vary between users.

A handy tool for analyzing your existing GraphQL operations and finding the best defaults is graphql-inspector.

Learn more about graphql-inspector audit here.