You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: modules/ROOT/pages/security/securing-a-graphql-api.adoc
+11-11Lines changed: 11 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -64,9 +64,9 @@ The xref:directives/schema-configuration/field-configuration.adoc#_selectable[`@
64
64
65
65
=== Authentication
66
66
67
-
The xref:security/authentication.adoc[`@authentication` directive] can be applied globally, only to certain fields or only to certain types, and only for certain operations.
67
+
You can apply the xref:security/authentication.adoc[`@authentication` directive] either globally, only to certain fields or only to certain types, and only for certain operations.
68
68
69
-
Add admin authorization for operations on customers, orders, products, categories and suppliers:
69
+
Add authentication as an admin to operations on customers, orders, products, categories and suppliers:
70
70
71
71
* `DELETE` for customers,
72
72
* `UPDATE` and `DELETE` for orders,
@@ -139,7 +139,9 @@ JWT are represented by encoded JSON data.
139
139
These data can have arbitrary fields - which ones they should contain depends on the application preferences.
140
140
141
141
For instance, if the server side is trying to parse the `roles` field that was introduced in xref:#_authentication[], then the JWT should contain that.
142
-
With `@jwtClaim`, you can specify a path to a customer ID in a nested location.
142
+
Specify the types of JWT data with `@jwt`.
143
+
Then you can specify a path to a customer ID in a nested location with `@jwtClaim`.
@@ -323,13 +325,12 @@ type ordersProperties @relationshipProperties {
323
325
Besides authentication and authorization considerations, there are a couple of worthwhile best practices to increase your API's security.
324
326
325
327
326
-
=== Avoid introspection and data field suggestions
328
+
=== Introspection and data field suggestions
327
329
328
330
While the xref:getting-started/graphql-aura.adoc[Getting started page for GraphQL and Aura Console] advocates to both **Enable introspection** as well as **Enable field suggestions**, this is not recommended when considering security.
329
331
330
332
Both potentially expose information that can be used to gain insight on specifics of your GraphQL schema and execute targeted malicious operations.
331
-
Be sure to deactivate both in a customer-facing real-life scenario.
332
-
333
+
We recommend you to deactivate both in a customer-facing real-life scenario unless you have a good reason to use them.
333
334
334
335
335
336
=== Limit query depth
@@ -482,5 +483,4 @@ You can set a timeout via the GraphQL Library driver, see xref:driver-configurat
482
483
483
484
Neo4j has a link:https://neo4j.com/docs/operations-manual/current/authentication-authorization/manage-privileges/[Role-based access control] mechanism that can be leveraged to increase security even further.
484
485
485
-
486
-
486
+
For more security-related topics in GraphQL, refer to the link:https://www.graphql.org/learn/security/[GraphQL Security] page.
0 commit comments