Add security best practices in documentation #133
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hello!
I am a Lead Developer at Escape, where we run a
GraphQL
security testing tool. We strongly believe in the importance of making web applications secure and strive to make security best practices as easy to be aware of and to set up as possible.We have been looking the Ariadne engine for a long time, and we tried to enhance its documentation with our knowledge on GraphQL security measures. These improvements include presentations of vulnerabilities, possible exploits, and mitigation code samples for the Ariadne engine. We started with the
stacktraces disclosure
and thefield suggestions
.In addition, we are aware of an issue in most GraphQL parsers which can lead to the engine being overloaded and the CPU throttling. To prevent this from impacting server performance, it is recommended to configure a lexer token limit at the parser level. This problem was mitigated for
graphql-js
. As this is a problem located at the parser's level, we have not included it in the documentation yet. We would encourage you to check it out with the folks from graphql-core.Finally, we have noticed that @rafalp is assigned in most docs-related MRs and would appreciate his feedbacks. We would be grateful for any advice you can provide :)
Thanks for this tool, and have a great day !
Maxence and @c3b5aw