AbsintheSecurity provides utilities to improve the security posture of APIs built with Absinthe GraphQL.
Add absinthe_security to the deps function in your project’s mix.exs file:
defp deps do
[
{:absinthe_security, "~> 0.1"}
]
endThen run mix do deps.get, deps.compile inside your project’s directory.
First, initialize Absinthe.Plug with a custom configuration:
forward("/graphql",
to: Absinthe.Plug,
init_opts: MyAppGraphQL.configuration()
)Your custom configuration (with all of AbsintheSecurity’s checks) might look like this:
defmodule MyAppGraphQL do
def configuration do
[schema: MyAppGraphQL.Schema, pipeline: {__MODULE__, :absinthe_pipeline}]
end
def absinthe_pipeline(config, options) do
options = Absinthe.Pipeline.options(options)
config
|> Absinthe.Plug.default_pipeline(options)
|> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Complexity.Result, {AbsintheSecurity.Phase.IntrospectionCheck, options})
|> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Result, {AbsintheSecurity.Phase.FieldSuggestionsCheck, options})
|> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Complexity.Result, {AbsintheSecurity.Phase.MaxAliasesCheck, options})
|> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Complexity.Result, {AbsintheSecurity.Phase.MaxDepthCheck, options})
|> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Complexity.Result, {AbsintheSecurity.Phase.MaxDirectivesCheck, options})
end
endDisable schema introspection queries at runtime.
config :absinthe_security, AbsintheSecurity.Phase.IntrospectionCheck,
enable_introspection: System.get_env("GRAPHQL_ENABLE_INTROSPECTION")|> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Complexity.Result, {AbsintheSecurity.Phase.IntrospectionCheck, options})https://docs.escape.tech/vulnerabilities/information_disclosure/introspection_enabled
Disable field suggestions in responses at runtime.
config :absinthe_security, AbsintheSecurity.Phase.FieldSuggestionsCheck,
enable_field_suggestions: System.get_env("GRAPHQL_ENABLE_FIELD_SUGGESTIONS")|> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Result, {AbsintheSecurity.Phase.FieldSuggestionsCheck, options})https://docs.escape.tech/vulnerabilities/information_disclosure/graphql_field_suggestion
Restrict the number of aliases that can be used in queries.
config :absinthe_security, AbsintheSecurity.Phase.MaxAliasesCheck,
max_alias_count: 100|> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Complexity.Result, {AbsintheSecurity.Phase.MaxAliasesCheck, options})https://docs.escape.tech/vulnerabilities/resource_limitation/graphql_alias_limit
Restrict the depth level that can be used in queries.
config :absinthe_security, AbsintheSecurity.Phase.MaxDepthCheck,
max_depth_count: 100|> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Complexity.Result, {AbsintheSecurity.Phase.MaxDepthCheck, options})https://docs.escape.tech/vulnerabilities/resource_limitation/graphql_depth_limit
Restrict the number of directives that can be used in queries.
config :absinthe_security, AbsintheSecurity.Phase.MaxDirectivesCheck,
max_directive_count: 100|> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Complexity.Result, {AbsintheSecurity.Phase.MaxDirectivesCheck, options})https://docs.escape.tech/vulnerabilities/resource_limitation/graphql_directive_overload
AbsintheSecurity is © 2023 Mirego and may be freely distributed under the New BSD license. See the LICENSE.md file.
Mirego is a team of passionate people who believe that work is a place where you can innovate and have fun. We’re a team of talented people who imagine and build beautiful Web and mobile applications. We come together to share ideas and change the world.
We also love open-source software and we try to give back to the community as much as we can.