Secure by default#

Any tool would make or at least try to make this claim, right? So how does WunderGraph make a difference in terms of security?

How GraphQL Servers work#

To get a better understanding of why WunderGraph is "secure by default" we need to first have a look at the steps involved of executing a GraphQL Query from the perspective of a GraphQL Server:

  1. accepts the request
  2. reads the request body
  3. parse the request JSON
  4. extract the Query from the JSON
  5. lexing
  6. parsing
  7. normalization
  8. validation
  9. execution
  10. build the JSON response
  11. send response to client

Of those steps lexing, parsing and validating a Query are highly vulnerable to attacks of any sort that try to inject unexpected inputs.

If an attacker get's around validation in some way they're able to execute what was previously known as SQL Injection. Because of the dynamic character of GraphQL every GraphQL implementation and framework is vulnerable to this threat.

Nowadays there are numerous implementations of the GraphQL specification in any possible language.

Can you trust the implementation or framework you use?#

As of today there is no standard to validate the correct implementation of the GraphQL specification under all possible circumstances. The community would really benefit from such a tool by which implementations could for example be certified.

All you can do is use extensive testing, fuzzing etc. to make sure the implementation is as correct as possible. But is it really your business to make sure an implementation is correct?

Is there a simpler way to get the benefits of GraphQL without making your systems vulnerable?

Don't expose GraphQL at all#

With WunderGraph you have to persist all Queries by default. There's no way around it. Queries get defined and persisted by a developer in the WunderGraph console. Clients cannot register their own Queries at runtime.

This reduces the additional attack surface of GraphQL to zero. To the API consumer it looks like any other REST or RPC endpoint.

All the steps like lexing, parsing, validation, etc. happen when the developer saves a new Query. Queries get then automatically prepared on your WunderNode.

At runtime all that happens is the execution of the prepared Query.


All implementations and frameworks are easy to attack as long as don't have a standardized way of guaranteeing correctness.

If you use WunderGraph this attack vector can be eliminated because your server never get's directly exposed to the client.