Configuration: GraphQL Automatic Persisted Queries¶

Identifier: graphql_apq

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner

Description¶

When you rely on full query strings every time a client makes a GraphQL request, the server ends up parsing huge, sometimes complex queries repeatedly. Automatic Persisted Queries let you send just a short, unique identifier instead of the whole query, which cuts down on processing time and network load. The risk comes from not properly linking that identifier to a validated query, leaving room for attackers to send misleading or oversized requests that force the server to do unnecessary, heavy work. This can slow down your backend significantly or even open the door to denial-of-service scenarios if an attacker floods your server with bogus requests, a common pitfall when proper validation and rate limits arent in place.

References:

https://www.apollographql.com/docs/apollo-server/performance/apq/

Configuration¶

Example¶

Example configuration:

---
security_tests:
  graphql_apq:
    assets_allowed:
    - GRAPHQL
    skip: false

Reference¶

`assets_allowed`¶

Type : List[AssetType]*

List of assets that this check will cover.

`skip`¶

Type : boolean

Skip the test if true.