Reject Malicious Operation Documents
A potential solution is to limit the maximal allowed count of tokens within a GraphQL document.
In computer science, lexical analysis, lexing or tokenization is the process of converting a sequence of characters into a sequence of lexical tokens.
E.g. given the following GraphQL operation.
The tokens are
}. Having a total count of 8 tokens.
The optimal maximum token count for your application depends on the complexity of the GrapHQL operations and documents. Usually 800-2000 tokens seems like a sane default.
A handy tool for analyzing your existing GraphQL operations and finding the best defaults for your
use case is
Learn more about
You can limit the amount of allowed tokens per operation and automatically abort any further
processing of a GraphQL operation document that exceeds the limit with the
Install the plugin first;
npm i @escape.tech/graphql-armor-max-tokens
Then configure it in your
maxTokenCount: 1000 # Number of tokens allowed in a document