Security

CORS

The HTTP server allows requests from all origins by default. It's recommended to limit GraphQL Server access to known origins, protecting against unexpected load.

ENV ALLOWED_ORIGINS maps to the Express CorsOptions.origin which sets the Access-Control-Allow-Origin CORS header. The following type is compatible:

boolean | string | RegExp | (string | RegExp)[]

Examples

Single client

ALLOWED_ORIGINS=https://my-app.com

Result Limits

Query result sets have a limit and require pagination using offset arguments. A default limit of 2500 is applied to each query in Hasura metadata.

Depth Limit

A configurable node depth limit prevents an highly nested query that would otherwise not be limited.

QUERY_DEPTH_LIMIT=3

{
  blocks { # No limit provided, so default applies
    previousBlock {
      previousBlock {
        previousBlock { ## Now invalid
           previousBlock {
             id
           }
        }
      }
    }
  }
}

Query Complexity Limit

The server can reject queries that are overly complex, which is determined by the addition of pre-determined costs of returning each field. You can control this limit using MAX_QUERY_COMPLEXITY, to either tighten or relax the default of 5000. It's also possible to provide a custom complexity plan if using the API packages in an existing server.

🏠 Home

📙 User Guides

🛠️ Maintainer Guides

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Security

CORS

Examples

Single client

Result Limits

Depth Limit

Query Complexity Limit

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally