Securing Your GraphQL endpoint - Slash graphql

diggy · September 3, 2020, 10:34am

Here are a few tips for securing your Slash GraphQL Backend

Writing Auth Rules

All GraphQL queries and mutations are unrestricted by default. In order to restrict access, please see the the @auth directive.

Restricting CORS from allowlisted domains

Restricting the origins that your Slash GraphQL responds to is a an important step in preventing XSS exploits. Your Slash GraphQL backend will prevent any origins that are not in the allowlist from accessing your GraphQL endpoint.

In order to add origins to the allow list, please see the settings page, under the “CORS” tab. By default, we allow all origins to connect to your endpoint (Access-Control-Allow-Origin: *), and adding an origin will prevent this default behavior. On adding your first origin, we automatically add “https://slash.dgraph.io" as well, so that the API explorer continues to work.

Note: CORS restrictions are not a replacement for writing auth rules, as it is possible for malicious actors to bypass these restrictions. Also note that the CORS restrictions only applies to

This is a companion discussion topic for the original entry at https://dgraph.io/docs/slash-graphql/security/

Topic		Replies	Views
Client Side Token Dgraph Cloud / Slash GraphQL auth	1	503	November 22, 2020
@auth, cors, securing alter operations, and request headers Dgraph kind:question , auth , area:security , ticket:created , cors	6	1521	January 15, 2021
Beginner question: Connecting to Dgraph directly from the front-end App Development discussion , kind:question	7	1836	November 14, 2020
Slash GraphQL Release March 9th 2021 Announce release	6	1125	March 9, 2021
Protect GQL endpoint Dgraph Cloud kind:question , dgraph	1	529	September 21, 2020

Securing Your GraphQL endpoint - Slash graphql

Writing Auth Rules

Restricting CORS from allowlisted domains

Related topics