Securing GraphQL APIs: Challenges and Solutions

GraphQL is relatively new in the #API space. Managing it requires a slightly different approach to security. With more and more enterprises exploring and using GraphQL, the question is how to manage API security for GraphQL APIs. Broadcom Inc./Layer 7 Distinguished Engineer Francois Lascelles explains how GraphQL does create some challenges for traditional approaches to API security, and how to overcome these challenges. It's all about making the tooling "GraphQL-aware" so that security can still be handled by components such as API gateways. - GraphQL and authentication (should be nothing graph-specific) - GraphQL and authorization (how coarse grain authorization is different than for REST) - Important details of graph queries/mutations are opaque to traditional API infrastructure - Best Graph Practices - Should you turn off introspection in production? - Impact on rate limiting - Why per-request counting is broken? - Query cost analysis and vulnerability mitigation 👉 More details in this article/paper by James (Jamie) Davis, "A Principled Approach to GraphQL Query Cost Analysis", June 2020 - https://lnkd.in/eUW-D4kt #apidevelopment #apieconomy #gettingapistowork #enterprisearchitecture #enterpriseit #apitooling #security #apisecurity #graphql