Operation Limits

Jakub WieczorekJakub WieczorekFredrik BjörkFredrik Björk
Operation Limits

Securing your GraphQL API is a top priority for everyone. One of the most common attacks malicious actors do to GraphQL APIs is sending complex and deeply nested queries to overload the server and/or database. Operation Limits allow you to protect your GraphQL API from these types of attacks.

Limits the deepest nesting of selection sets in an operation, including fields in fragments.

Here's how depth is calculated:

query GetProduct {
  product(id: "123") {
    # depth 1
    title # depth 2
    brand {
      name # depth 3
    }
  }
}

To configure depth, add the following to your grafbase.config.ts file:

export default config({
  operationLimits: {
    depth: 3,
  },
})

Limits the number of unique fields included in an operation, including fields of fragments. If a particular field is included multiple times via aliases, it's counted only once.

Here's how height is calculated:

query GetProduct {
  product(id: "123") {
    # height 1
    id # height 2
    name # height 3
    title: name # aliases don't count
  }
}

To configure height, add the following to your grafbase.config.ts file:

export default config({
  operationLimits: {
    height: 20,
  },
})

Limits the total number of aliased fields in an operation, including fields of fragments.

Here's how aliases are calculated:

query GetProduct {
  product(id: "123") {
    title: name # alias 1
    something: name # alias 2
    else: name # alias 3
  }
}

To configure aliases, add the following to your grafbase.config.ts file:

export default config({
  operationLimits: {
    aliases: 10,
  },
})

Limits the number of root fields in an operation, including root fields in fragments. If a particular root field is included multiple times via aliases, each usage is counted.

Here's how root fields are calculated:

query GetProducts {
  topBooks {
    # root field 1
    id
  }
  topMovies {
    # root field 2
    id
  }
  topGames {
    # root field 3
    id
  }
}

To configure root fields, add the following to your grafbase.config.ts file:

export default config({
  operationLimits: {
    rootFields: 10,
  },
})

Complexity takes the number of fields as well as the depth and any pagination arguments into account. Every scalar field adds 1 point, every nested field adds 2 points, and every pagination argument multiplies the nested objects score by the number of records fetched.

Here's how root fields are calculated:

query {
  # total: 18
  products(limit: 2) {
    # (Nested: 2 + 1 + 1 + 1 + (author: 2 + 1 + 1)) * limit: 2 = 18
    id # scalar: 1
    title # scalar: 1
    price # scalar: 1
    brand {
      # nested: 4 (2 + 1 + 1)
      id # scalar: 1
      name # scalar: 1
    }
  }
}

To configure complexity, add the following to your grafbase.config.ts file:

export default config({
  operationLimits: {
    complexity: 100,
  },
})

Read more about this feature in the docs.

Operation Limits are available on the Enterprise plan. Contact us to learn more.

We are investing heavily in making GraphQL APIs deployed to Grafbase as secure as possible. Stay tuned for more exciting security feature launches in the coming months.

We'd love to hear your feedback and ideas, so join us on Discord.