Skip to content

Automatic Persisted Queries

Description

The absence of Automatic Persisted Queries can cause backend performance problems at scale.

GraphQL clients send queries to Apollo Servers as HTTP requests, including the GraphQL query string. Depending on your GraphQL schema, the size of a valid query string might be arbitrarily large. As query strings become larger, increased latency and network usage can noticeably degrade client performance. A persisted query is a query string cached on the server-side, along with its unique identifier (SHA-256 hash of the query). Clients can send this identifier instead of the full query string, drastically reducing request sizes.

To make a query string persist, your GraphQL server must first receive it from a requesting client. Each unique query string must therefore be sent to the server at least once. Once a client has sent a query string to persist, any other client executing that query can benefit from APQ.

Remediation

To improve network performance for large query strings, enable APQ if your GraphQL server supports it.

GraphQL Specific

Apollo To mitigate the risks associated with Automatic Persisted Queries (APQs) in the Apollo framework, ensure that you have proper security measures in place. This includes validating and sanitizing all user inputs, implementing a strict Content Security Policy (CSP), and using query whitelisting to allow only predefined queries. Additionally, monitor and rate-limit the APQs to prevent abuse. Keep the Apollo Engine and all dependencies up to date to benefit from the latest security patches.
Yoga To mitigate the risks associated with Automatic Persisted Queries in the Yoga framework, ensure that the server only accepts predefined queries. This can be achieved by maintaining a whitelist of allowed query hashes and rejecting any queries that do not match the known hashes. Additionally, implement proper rate limiting and monitoring to detect and prevent abuse.
Awsappsync To mitigate performance issues and reduce network traffic, implement Automatic Persisted Queries (APQs) with AWS AppSync. APQs allow clients to send a short hash instead of the full query, reducing the request size. When the server receives a hash, it retrieves the full query from a cache if available. To enable APQs in AWS AppSync, configure your client to support APQs and modify your AWS AppSync settings to enable caching of the queries. This will improve the efficiency of data retrieval and reduce latency.
Graphqlgo To mitigate potential performance issues and improve the security of your GraphQL Go framework engine, implement Automatic Persisted Queries (APQs). APQs allow clients to send a unique identifier generated from the query instead of the full query itself, reducing the size of the request and protecting against certain types of attacks. Ensure that your GraphQL server is configured to handle APQs by storing the mapping between the identifier and the query, and validate the queries to prevent unauthorized operations. This approach also enables caching at the network level, further enhancing the performance and scalability of your GraphQL service.
Graphqlruby To mitigate potential performance issues and improve the efficiency of GraphQL queries within the Ruby framework, implement Automatic Persisted Queries (APQs). APQs allow clients to send a unique identifier generated from the query instead of the entire query string, reducing the size of the request. Ensure that the GraphQL-Ruby library is configured to support APQs by integrating with a compatible caching mechanism, such as Redis, to store the mapping between the identifiers and the query strings. This will also help in protecting against certain types of Denial of Service (DoS) attacks that involve sending large and complex queries to the server.
Hasura To mitigate the risk of denial-of-service (DoS) attacks when using Automatic Persisted Queries (APQs) with Hasura, ensure that only known queries are allowed by maintaining a list of allowed persisted queries. Implement a strict content security policy, and monitor and rate-limit incoming requests to prevent abuse. Additionally, consider using a unique identifier for each persisted query to avoid collisions and to make it easier to manage the list of allowed queries.
Agoo Implement Automatic Persisted Queries (APQ) in the Agoo framework to enhance backend performance by caching query strings server-side. This reduces the size of HTTP requests by allowing clients to send a unique identifier instead of the full query string, minimizing latency and network usage.
Ariadne Implement Automatic Persisted Queries (APQ) in your Ariadne GraphQL server to enhance performance by reducing the size of query requests. This involves caching query strings on the server with a unique identifier, allowing clients to send only the identifier instead of the full query string, thereby minimizing latency and network usage.
Caliban Enable Automatic Persisted Queries (APQ) in the Caliban framework to improve backend performance by caching query strings on the server-side. This reduces the size of requests by allowing clients to send a unique identifier instead of the full query string, minimizing latency and network usage.
Dgraph Implement Automatic Persisted Queries (APQ) in your Dgraph framework to enhance backend performance by reducing query size and network latency. This involves caching query strings on the server-side and using their unique identifiers for subsequent requests.
Dianajl Implement Automatic Persisted Queries (APQ) in the DianaJL framework engine to enhance backend performance by reducing query string sizes and network usage. This involves caching query strings on the server with a unique identifier, allowing clients to send only the identifier for subsequent requests.
Directus Implement Automatic Persisted Queries (APQ) in your Directus framework setup to enhance backend performance. By caching query strings on the server-side and using unique identifiers, you can significantly reduce request sizes, improve latency, and optimize network usage.
Flutter Implement code splitting and lazy loading in your Flutter application to optimize performance and reduce initial load times.
Graphene Implement Automatic Persisted Queries (APQ) in your Graphene framework setup to enhance backend performance by reducing query size and network usage. This involves caching query strings on the server-side and allowing clients to send a unique identifier instead of the full query string, thereby minimizing latency and improving client performance.
Graphqlapiforwp Implement Automatic Persisted Queries (APQ) in the GraphQL API for WP framework to enhance backend performance by reducing query size and network usage. This involves caching query strings on the server with a unique identifier, allowing clients to send only the identifier for subsequent requests.
Graphqlgophergo Implement Automatic Persisted Queries (APQ) in the GraphQLGopherGo framework to enhance backend performance by reducing query string sizes. This involves caching query strings on the server with a unique identifier, allowing clients to send only the identifier for subsequent requests, thereby minimizing latency and network usage.
Graphqljava Implement Automatic Persisted Queries (APQ) in your GraphQL Java server to enhance performance by reducing the size of query requests. This involves caching query strings on the server with a unique identifier, allowing clients to send only the identifier instead of the full query string, thereby minimizing latency and network usage.
Graphqlphp Implement Automatic Persisted Queries (APQ) in your GraphQLPHP framework to enhance backend performance by reducing query size and network usage. This involves caching query strings on the server with a unique identifier, allowing clients to send only the identifier for subsequent requests.
Graphqlyoga Enable Automatic Persisted Queries (APQ) in your GraphQL Yoga server to improve backend performance by caching query strings with their unique identifiers. This reduces request sizes and network usage, enhancing client performance at scale.
Hypergraphql Implement Automatic Persisted Queries (APQ) in the HyperGraphQL framework to enhance backend performance by reducing query string sizes and minimizing network latency.
Jaal Implement Automatic Persisted Queries (APQ) in the Jaal framework to enhance backend performance by reducing query string sizes. This involves caching query strings on the server with a unique identifier, allowing clients to send the identifier instead of the full query, thus minimizing latency and network usage.
Juniper Implement Automatic Persisted Queries (APQ) in the Juniper framework to enhance backend performance by reducing query string sizes. This involves caching query strings on the server with a unique identifier, allowing clients to send the identifier instead of the full query, thus minimizing latency and network usage.
Lacinia Enable Automatic Persisted Queries in the Lacinia framework to improve backend performance by caching query strings server-side and reducing request sizes.
Lighthouse Implement server-side caching and optimization techniques to improve performance and reduce latency in the Lighthouse framework.
Mercurius Enable Automatic Persisted Queries (APQ) in the Mercurius framework to improve backend performance by caching query strings on the server-side. This reduces the size of requests by allowing clients to send a unique identifier instead of the full query string, minimizing latency and network usage.
Morpheusgraphql Enable Automatic Persisted Queries (APQ) in MorpheusGraphQL to improve backend performance by caching query strings server-side. This reduces request sizes and network usage, enhancing client performance at scale.
Qglgen Enable Automatic Persisted Queries (APQ) in gqlgen to improve backend performance by caching query strings on the server-side. This reduces network usage and latency by allowing clients to send a unique identifier instead of the full query string.
Sangria Implement Automatic Persisted Queries (APQ) in the Sangria framework to enhance backend performance by caching query strings server-side. This reduces network usage and latency by allowing clients to send a unique identifier instead of the full query string, optimizing request sizes.
Shopify Implement caching strategies to optimize data retrieval and reduce server load in the Shopify framework.
Stepzen Enable Automatic Persisted Queries in StepZen to optimize backend performance by caching query strings server-side and allowing clients to send only the unique identifier, reducing request sizes and improving efficiency.
Strawberry Implement Automatic Persisted Queries (APQ) in the Strawberry framework to enhance backend performance by caching query strings server-side. This reduces request sizes and improves client performance by allowing clients to send a unique identifier instead of the full query string.
Tartiflette Implement Automatic Persisted Queries (APQ) in the Tartiflette framework to enhance backend performance by caching query strings server-side. This reduces the size of client requests by allowing clients to send a unique identifier instead of the full query string, minimizing latency and network usage.
Wpgraphql Implement Automatic Persisted Queries (APQ) in WPGraphQL to enhance backend performance by caching query strings server-side. This reduces the size of HTTP requests by allowing clients to send a unique identifier instead of the full query string, minimizing latency and network usage.

Configuration

Identifier: configuration/graphql_apq

Examples

Ignore this check

checks:
  configuration/graphql_apq:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API8:2023
  • OWASP LLM: LLM04:2023
  • pci: 6.5.10
  • gdpr: Article-32
  • soc2: CC1
  • psd2: Article-97
  • iso27001: A.12.6
  • nist: SP800-53
  • fedramp: AC-2

Classification

  • CWE: 400

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:F/RL:O/RC:C
  • CVSS_SCORE: 4.9

References