Depth limiting, cost analysis, alias flooding prevention, and introspection control — all enforced at the gateway in a single O(n) pass. Zero external parser. Zero backend changes.
HTTP/1.1 400 Bad Request
Content-Type: application/json
{
"errors": [
{
"message": "Query depth 12 exceeds maximum 8",
"extensions": {
"code": "QUERY_DEPTH_EXCEEDED"
}
}
]
}Standard GraphQL error format — compatible with all clients
Each rule is independently configurable per route. All defaults are production-safe out of the box.
default: 10
Stops deeply nested queries that cause N+1 database explosions. Analyzed in a single O(n) pass — no external parser.
user { posts { comments { author { posts { ... } } } } }default: 1000
Assigns a cost score to each field. Mutations cost more than queries. Rejects budgets exceeded before execution.
mutation { createOrder { items { product { variants { ... } } } } }default: 30 aliases
Limits field aliases per query. Alias flooding bypasses rate limiting by disguising repeated fields.
{ a: user(id:1) { id } b: user(id:1) { id } ... x100 }default: off
Disables __schema and __type queries. Prevents schema enumeration in production environments.
{ __schema { types { name fields { name } } } }default: 10
Limits top-level fields per query. Prevents batch abuse through a single query with dozens of root resolvers.
{ users orders products invoices analytics ... x20 }Queries are validated instantly without external dependencies.
Identical queries are recognized instantly via in-memory hash lookup. No repeat analysis needed.
Common queries are cached automatically. High hit rate with zero configuration.
Available on paid plans. Enable per-route in your dashboard — no code changes required.