GraphQL Protection

Stop GraphQL Abuse.
Before It Hits Your Backend.

Depth limiting, cost analysis, alias flooding prevention, and introspection control — all enforced at the gateway in a single O(n) pass. Zero external parser. Zero backend changes.

Rejected Query Response

HTTP/1.1 400 Bad Request
Content-Type: application/json

{
  "errors": [
    {
      "message": "Query depth 12 exceeds maximum 8",
      "extensions": {
        "code": "QUERY_DEPTH_EXCEEDED"
      }
    }
  ]
}

Standard GraphQL error format — compatible with all clients

5 Protection Rules

Each rule is independently configurable per route. All defaults are production-safe out of the box.

Query Depth Limit

default: 10

Stops deeply nested queries that cause N+1 database explosions. Analyzed in a single O(n) pass — no external parser.

user { posts { comments { author { posts { ... } } } } }
Cost Analysis

default: 1000

Assigns a cost score to each field. Mutations cost more than queries. Rejects budgets exceeded before execution.

mutation { createOrder { items { product { variants { ... } } } } }
Alias Flooding

default: 30 aliases

Limits field aliases per query. Alias flooding bypasses rate limiting by disguising repeated fields.

{ a: user(id:1) { id } b: user(id:1) { id } ... x100 }
Introspection Block

default: off

Disables __schema and __type queries. Prevents schema enumeration in production environments.

{ __schema { types { name fields { name } } } }
Root Field Limit

default: 10

Limits top-level fields per query. Prevents batch abuse through a single query with dozens of root resolvers.

{ users orders products invoices analytics ... x20 }

Built for Speed

Single-pass analysis

Queries are validated instantly without external dependencies.

Query Fingerprinting

Identical queries are recognized instantly via in-memory hash lookup. No repeat analysis needed.

Smart Caching

Common queries are cached automatically. High hit rate with zero configuration.

Who Needs This

Public GraphQL APIs
  • Block schema enumeration with introspection control
  • Prevent DoS via deeply nested queries
  • Rate limit by query cost, not just request count
Internal APIs
  • Enforce query budgets across microservices
  • Prevent accidental N+1 from new developers
  • Audit query complexity in logs
Multi-Tenant Platforms
  • Different limits per route / tenant tier
  • Protect shared infrastructure from noisy neighbors
  • Block introspection for non-admin tenants

Protect Your GraphQL API Today

Available on paid plans. Enable per-route in your dashboard — no code changes required.