Secure your GraphQL Implementation with an API Gateway

Do APIs, not security in your GraphQL

I can’t remember the last time I was excited about a new technology like I am with GraphQL.  I don’t think there is anything I don’t like about it- at least not yet! I have not been leveraging it every day as my job so keep that in mind, however I believe that the whole strategy is fantastic.

Having a schema at play, and having adjustable API calls on demand are so key to having applications efficiently take advantage of those calls.  It gives developers freedom and the ability to play around with different data sets very easily, allowing for efficient traffic over the wire, and also limiting superfluous parsing of data that would  not be used anyway in the application that requested the data from the API in the first place.

There are a few GraphQL implementations that I’ve seen that are really neat.  I recently have been playing with Hasura. It is an open source GraphQL engine being built and managed under CEO Tanmai Gopal that I saw recently at API world in San Jose.  They have a docker implementation of the Hasura GraphQL engine that works with a Postgres database. Following the instructions I was able to get it up and running in a matter of minutes, and I was able to create tables in the Postgres DB and perform GraphQL queries using the embedded test tool.

Although you can build in some security into a GraphQL implementation, I can’t help but see it as a weak feature to satisfy a broad requirement that really requires a lot more thought than providing an API key or some other trivial aspect in order to access the API.

Your GraphQL APIs will be exploited easily if not protected properly, and that includes leveraging TLS, OAuth tokens with short lived lifespans, and rate limiting (at the least) on inbound connections.  You can leverage IP whitelisting and Mutually Authenticated SSL on the back end which will help mitigate last mile risk.

My recommendation is to front your GraphQL APIs with a gateway that can provide and validate tokens, provide encryption for data in flight, and authenticate and authorize access with your enterprise security identity providers to ensure your APIs are feeding the proper people the proper data.

I can’t wait to play with more GraphQL!

Geoff Duck

Geoff Duck

Geoff has a long background in development and customer work. With contributions to the original Eclipse project, Geoff has been immersed in development and APIs since 2001. Part of the original Layer 7 team, Geoff has been working as a pre-sales architect since 2012 helping customers succeed with their API security and API management implementations. Hailing from Kelowna British Columbia Canada, Geoff enjoys outdoor mountain sports including downhill mountain biking, snowboarding and banked slalom racing, skateboarding and trail running.

Share With Your Network

Share on twitter
Share on linkedin
Share on facebook
Share on email
Share on print

More From The API Academy