DEV Community

Cover image for Building Open Source GraphQL Security
TheGuildBot for The Guild

Posted on • Updated on • Originally published at the-guild.dev

Building Open Source GraphQL Security

This article was published on Friday, December 8, 2023 by Nohé Hinniger-Foray @ The Guild Blog

Open-Source GraphQL Security, Importance & Tools

Open-source principles have forged GraphQL as a standard, it's ecosystem and community. Bringing
value via transparency and collective knowledge as well as empowering the community with tools and
practices to build better, bigger & more efficient APIs from day to day. Now that GraphQL APIs are
well-established and with a lots of queries on a daily basis, ensuring their security becomes
crucial.

In this exploration, we'll dive into how these open-source practices are important and benefits for
the security of GraphQL and which community tools you can leverage today to secure your APIs.

GraphQL Is Open-Source at Its Core

The inception and evolution of GraphQL are intrinsically tied to the principles of open-source,
ensuring it flourished not just as a query language but as a community-driven initiative progressing
toward broader, unified API development standards. From its public
specifiction release in 2015 by Facebook to its
transition to the GraphQL Foundation in 2018—hosted by the Linux
Foundation—its journey has been transparent and collaborative.

While the GraphQL specification paved the way for consistent and efficient API queries, the
open-source community enhanced this original draft further. Take the
Relay Pagination Specification, for instance, which
streamlines how pagination can be handled in GraphQL (among other React specific features),
providing a standard methodology that developers can rely on. Similarly, the introduction of custom
directives allowed GraphQL to become more flexible and adaptable to specific use-cases, like the
@rest directive
or
@live queries.

Moreover, the vast majority of widespread GraphQL tools have and are being built under open-source
licences. Servers implementations, frontend clients, utilities like schema management, code
generation or even fully fledged API platforms are legion. You can find a comphrensive list of such
tools on the graphql.org website. The Guild
are also masters when it comes to GrahpQL & Open-source and their tools come highly recommended.

For instance, as GraphQL is transport agnostic, it can be used with any protocol, a tremendous
amount of open-source tools have been built to leverage this flexibility, especially by
@enisdenjo: graphql-http
graphql-ws
graphql-sse

I can also mention the work on unified APIs via GraphQL federation that is also under active
open-source development, with the Open-Federation initiative, and
upcoming
GraphQL Fusion
specification.

And last but not least, the GraphQL community is also very community centered, wether via the
GraphQL working group or the various
events and meetups such as the GraphQL Conf.

In essence, GraphQL isn’t simply open-source in its availability but embodies open-source in its
ongoing development, enhancements, and community engagement, perpetually enriching its ecosystem
with diverse inputs, insights, and innovations.

The Importance of Open Source and Public Resources in Security

Keeping the internet safe is a big challenge. It's like a tightly connected place with lots of
potential threats. Open source and public tools have been doing a great job at protecting it for
years.

Cybersecurity thrives on collaboration, exemplified by the Common Vulnerabilities and Exposures
(CVE) system. This public database acts as a central repository for known
cybersecurity threats, allowing for quick dissemination and response. By making vulnerabilities
public, the CVE system ensures timely and widespread implementation of security measures. For
instance, the identification and patching of the Heartbleed bug in OpenSSL was significantly aided
by the CVE system, showcasing its effectiveness in promoting rapid response.

Open source plays a crucial role in cybersecurity by fostering an environment of transparency and
collaboration. It allows for the open identification and resolution of vulnerabilities, benefiting
the entire digital ecosystem. For example, the Linux Kernel, known for its security, continually
improves through community contributions. Similarly, tools like Kali Linux offer insights into
offensive cybersecurity strategies, helping developers strengthen their defenses.

This combination of open source and CVE is especially vital in areas like GraphQL and API security,
providing a foundation for robust, adaptable cybersecurity strategies. Through shared knowledge and
tools, open source and CVE create a proactive defense against evolving cyber threats.

In a field like cybersecurity, where dangers morph quickly, having shared knowledge, united
alertness, and available-to-all tools become an essential shield against potential attacks. The
marriage of open source and cybersecurity offers a lively platform for ongoing learning, changing,
and sharing attack and defense mechanisms, crafting a global, united front against cyber threats.

Moving forward, we'll dive into how this perfect pairing of open source and cybersecurity is
crucial, not just relevant, for GraphQL and API security. We'll highlight practical tools and
strategies you can use today to protect your applications.

Open Source GraphQL Security Ressources & Tools

There are many GraphQL open-source tools available to help developers and businesses defend against
possible cybersecurity threats. From defensive measures that shield sensitive data to offensive
tools aimed at identifying vulnerabilities, the open-source community has build invaluable resources
to cover a wide variedy of cyber-security needs.

Learning Tools & Resources: Armoring with Knowledge

In the sphere of cybersecurity, especially concerning GraphQL, the adage 'knowledge is power' is
paramount. Continual learning, embracing best practices, and leveraging insights from the community
is an essential shield to secure APIs against vulnerabilities.

  1. Best Practices
*   [Persisted/Trusted queries](https://benjie.dev/graphql/trusted-documents): This feature allows
    you to save bandwidth and improve performance by sending a hash of the query instead of the
    full query. It also has a huge impact on security, as it prevents attackers from sending
    arbitrary queries to your server. Check GraphQL Yoga
    [persisted operations](https://the-guild.dev/graphql/yoga-server/docs/features/persisted-operations)
*   [9 GraphQL Security Best Practices](https://escape.tech/blog/9-graphql-security-best-practices/):
    Dive into Escape’s comprehensive guide which unveils nine pivotal security best practices,
    presenting a blend of actionable insights and theoretical knowledge to fortify GraphQL
    implementations against potential threats.
*   [The Guild’s best practices article](https://the-guild.dev/blog/unleash-the-power-of-fragments-with-graphql-codegen):
    While this resource by The Guild isn’t strictly security-focused, it provides invaluable best
    practices on GraphQL clients that, when adeptly applied, augment the robustness and efficiency
    of GraphQL APIs, subsequently enhancing their inherent security.
*   [Official authorization docs](https://graphql.org/learn/authorization/) The official GraphQL
    documentation provides a comprehensive guide to authorization, which is a crucial aspect of
    security in your API. Generally speaking, knowing the specification and documentation is a key
    to understanding how your application works and therefore how to secure it.
Enter fullscreen mode Exit fullscreen mode
  1. API Security Academy

    The API Security Academy, an open-source platform developed by Escape, navigates through the
    multifaceted world of GraphQL security. A wellspring of knowledge, it offers structured learning
    paths, exploring vulnerabilities, attack vectors, and preventive strategies, thereby forging a
    security-savvy developer who can intuitively construct and validate secure APIs.

  2. Blogs and More

    Explore the many insights and experiences shared by experts through different channels:

*   **Blogs**: Immerse yourself in rich content through blogs from
    [Escape](https://escape.tech/blog/) and [The Guild](https://the-guild.dev/blog/), offering a
    spectrum of perspectives, learnings, and strategies around GraphQL and cybersecurity.
*   **Videos**: Discover visual insights through a collection of videos curated by
    [GraphQL WTF](https://graphql.wtf/). Although not strictly centered around security,
    understanding various facets of GraphQL enhances your capability to architect, implement, and
    secure GraphQL APIs more effectively.
Enter fullscreen mode Exit fullscreen mode

Online security is always changing, often at a rapid pace. By adhering to best practices, engaging
with learning platforms and tapping into the collective knowledge shared through blogs and videos,
we arm ourselves and our APIs against the multifaceted cybersecurity threats that persist in the
digital realm.

This path of continuous learning and adaptation ensures that as developers and cybersecurity
professionals, we remain up to date to secure our GraphQL APIs against both prevalent and emerging
threats.

Defensive Tools

  1. GraphQL Armor

    Developed by our tech team at Escape, GraphQL Armor is a middleware plugin designed to be an
    immediate security upgrade for your GraphQL server. Acting like a personal bodyguard for your
    data, it integrates seamlessly with Envelop — a
    flexible plugin system introduced by The Guild for crafting high-quality, performant GraphQL
    extensions. GraphQL Armor adheres to the ethos of providing accessible, user-friendly security
    solutions that can be efficiently integrated into your GraphQL setup, safeguarding it from
    potential vulnerabilities and threats.

  2. GraphQL Shield

    GraphQL Shield empowers developers with a permission layer for applications, securing APIs by
    utilizing an intuitive rule-API that activates the Shield engine on every request. Moreover, it
    smartly caches data to keep your application sprightly and ensures internal data remains under
    wraps, enhancing both performance and security.

With open-source defensive tools like GraphQL Armor and GraphQL Shield, businesses and developers
can reinforce the security of their GraphQL APIs, protecting data and operations from unauthorized
access and potential malicious activities. Navigating through the extensive open-source ecosystem
and leveraging these security tools not only fortifies your GraphQL APIs but also enriches the
collective knowledge and defense mechanisms of the community, aligning with the spirit of
collaborative development and security.

In the upcoming section, we’ll delve into offensive tools and resources for learning to equip you
with a holistic arsenal for safeguarding your GraphQL APIs.

Offensive Tools: A Proactive Step towards Fortified Defense

When it comes to ensuring an unbreakable security perimeter, adopting an offensive approach is
pivotal. By putting our defenses to the test and simulating possible attacks, we preemptively expose
potential vulnerabilities and weaknesses before they can be exploited maliciously. This strategy is
basically following the idea: the best defense is a good offense. Let’s uncover two powerful
open-source tools that allow us to proactively secure our GraphQL APIs by adopting an offensive
stance.

  1. Goctopus

    Say hello to Goctopus, our open-source GraphQL endpoint discovery and fingerprinting tool. This
    tentacled marvel meticulously hunts down GraphQL endpoints, fingerprinting their authentication
    methods and schema availability, ensuring not a single detail slips through its grasp. Built by
    the Escape team, Goctopus lends developers and businesses a watchful eye, enabling them to
    identify and comprehend the specifics of GraphQL endpoints with precision, ensuring that they
    can reinforce any possible points of vulnerability within their organization before they become
    a target.

  2. Clairvoyance

    Meet Clairvoyance, a savvy tool designed to peek into GraphQL APIs even when introspection is
    disabled, which is a common security measure (e.g.,
    Apollo Server automatically disables introspection in production environments).
    Clairvoyance subtly and skillfully retrieves schema information from these APIs, providing
    developers with insights into the API structure and potential vulnerability points. This becomes
    particularly vital when dealing with APIs that have sought to shield their schema details as a
    security measure.

Both Goctopus and Clairvoyance offer distinctive capabilities, allowing developers and cybersecurity
professionals to proactively and meticulously assess and bolster their GraphQL API defenses. By
utilizing these offensive tools, we position ourselves a step ahead, ensuring that our APIs are not
just constructed with security in mind but are continually assessed and enhanced to defend against
evolving cybersecurity threats.

As we move forward, our journey will venture into open-source learning resources and best practices
in GraphQL security, ensuring that your armory is not just stocked with tools but also with
knowledge and strategies to implement them effectively.

Wrapping up and Joining Forces

Huge shoutout to The Guild for hosting this dive into the depths of
GraphQL and open-source magic. Their work, and the work of countless others in our robust community,
propels GraphQL to new heights daily. Your code, knowledge, and keen eyes are the gears moving this
ecosystem forward.

But hey, let’s not stop there! Contribute, Engage, Elevate. That’s the open-source mantra. Your
expertise could well be the next big leap forward for GraphQL tools and platforms. Check out these
awesome GraphQL projects on graphql.org/code and the
Awesome GraphQL security list!
Here at Escape, our open-source initiatives and SaaS solutions are all about
injecting the GraphQL space with robust, unshakeable security defenses. But it's a team sport, and
every contribution counts.

Let’s keep the momentum, elevate our game in cybersecurity, and shape a future where GraphQL isn’t
just powerful and efficient but an unassailable fortress in API development.

Thanks for tagging along on this adventure. Together, let's build a safer, and better GraphQL
ecosystem.

Top comments (0)