Announcing GraphQL Armor support for GraphQL Yoga 2 - Bringing security by default to GraphQL

Antoine Carossio

2 min read
Announcing GraphQL Armor support for GraphQL Yoga 2 - Bringing security by default to GraphQL

We are utterly excited to introduce GraphQL Armor compatibility with Yoga 2.

When the GraphQL Ecosystem encounters Security

A few weeks ago, we released GraphQL Armor, an open-source middleware to add a security layer on top of GraphQL endpoints and mitigate common attacks.

GraphQL Armor blocks abusive requests by putting reasonable and clever limits on Queries. It was designed as the go-to solution for building secure production GraphQL APIs.

We also wanted it to be universal, but it was yet compatible with Apollo Server only. We were already in touch with the awesome team behind GraphQL Yoga at The Guild. What's best for adding an engine's support than working directly with its authors?

So we naturally decided to partner together towards adding the best support for Yoga 2 to GraphQL Armor.

What do you get by using GraphQL Armor?

Armor comes out of the box with a set of plugins that applies security best practices to any production GraphQL Server:

  • Aliases Limit
  • Character Limit
  • Cost Limit
  • Depth Limit
  • Directives Limit
  • Disabled Field Suggestion

More rules are added weekly. And we are more than open to contributions!

Note that the default configuration has been designed with conservation in mind: Adding Armor to a production project should not interfere with legitimate requests out of the box.

What does it look like to use GraphQL Armor with Yoga?

GraphQL Armor relies on Envelop plugins for its security rules.

Getting started is dead simple: npm install -S @escape.tech/graphql-armor (or yarn add @escape.tech/graphql-armor)

Then let's take a minimalistic Yoga server:

import { createServer } from '@graphql-yoga/node';

import { schema } from './schema';

export function initServer() {
  const server = createServer({
    schema,
  });
  return server;
}

Adding GraphQL armor is just a matter of adding a few envelop plugins:

import { EnvelopArmor } from '@escape.tech/graphql-armor';
import { createServer } from '@graphql-yoga/node';

import { schema } from './schema';

const armor = new EnvelopArmor();
const enhancements = armor.protect();

export function initServer() {
  const server = createServer({
    schema,
    plugins: [...enhancements.plugins],
  });
  return server;
}

This example can be found in The Guild's example repository github.com/dotansimha/graphql-yoga

Join us in building the future of GraphQL Security

Feel free to come on Armor's GitHub to ⭐ star, 🗣️ discuss, 🎉 ask them for new features, and more:
github.com/Escape-Technologies/graphql-armor

Our team is actively working on improving Armor and its support for various GraphQL engines like GraphQL Yoga. Join our Discord community for exclusive GraphQL security content!
https://discord.com/invite/G9FEuFuKfd

And of course the partnership with The Guild does not stop here! A lot more to come ;)

Talk to you soon! 🤟

Found for thoughts

Wanna learn about GraphQL security testing? Read our blog article "How to test your GraphQL API?".