'Make GraphQL api secure
I started using GQL with Express (It is awesome). So I have a couple questions.
How can I make GQL secure so only I can access the API and playground in general. Like Instagram. You can't access their "playground".
When I was working with rest api, I was sending tokens trough Headers to be secure. Where to put them now?
app.use(
"/graphql",
graphqlHTTP({
schema,
graphiql: true,
})
)
Thank you.
Solution 1:[1]
- I highly suggest that you don't keep your playground open into production. A playground is a web app with its own complexity and thus its own vulnerabilities. See Hacking GraphQL Playground
- Authentication is handled in GraphQL exactly the same as in REST. Actually you can even have a REST authentication over your GraphQL App. You can find a lot more information here about how to manage authentication, authorization, and access control properly in GraphQL here: Authentication, Authorization and Access Control for GraphQL
Solution 2:[2]
For 1) the playground is toggled on or off with that graphiql flag you have there. As for securing it you would want to use a middle where that checks an incoming token of some sort and allows/rejects based on the verification of that token.
- GraphQL works the exact same way as a REST endpoint in that respect. Tokens in the headers is the standard.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | iCarossio |
| Solution 2 | iweir |