Skip to content

GraphQL Response Format

Description

This test checks that your GraphQL response format matches the offciel GraphQL specification.

Remediation

Make sure that the response format matches the official GraphQL specification.

GraphQL Specific

Apollo Ensure that the Apollo server is configured to validate and sanitize user input to prevent injection attacks. Use a combination of schema validation, custom directives, and depth limiting to control the structure and complexity of the queries. Additionally, implement error handling that does not expose sensitive information in the GraphQL responses.
Yoga Ensure that the Yoga GraphQL server implementation properly validates and sanitizes user input to prevent injection attacks. Implement a robust error handling strategy that does not expose stack traces or sensitive information in the GraphQL responses. Regularly update the Yoga framework to incorporate security patches and improvements.
Awsappsync Ensure that the AWS AppSync GraphQL API is configured to validate and sanitize user input to prevent injection attacks. Use strong, non-nullable types in your schema whenever possible, and leverage AWS AppSync's built-in validation capabilities. Additionally, implement authorization checks and resolvers to control access to data and operations, and consider using AWS WAF to add another layer of security.
Graphqlgo Ensure that the GraphQL Go framework engine properly validates and sanitizes user input to prevent injection attacks. Implement a strong type system and use parameterized queries to handle data fetching. Additionally, employ query complexity analysis to prevent denial-of-service attacks caused by resource-intensive queries. Regularly update the framework to incorporate security patches and improvements.
Graphqlruby Ensure proper validation and sanitization of user-supplied input to prevent injection attacks. Utilize the GraphQL-Ruby's built-in mechanisms for parameterized queries and argument validation. Regularly update the GraphQL-Ruby framework to incorporate the latest security patches and features.
Hasura Ensure that the Hasura GraphQL engine is configured to validate and sanitize user input to prevent injection attacks. Use allow-lists for queries and mutations, and apply appropriate permissions and role-based access controls to limit exposure of sensitive data. Regularly review and update security configurations in line with best practices.
Agoo Ensure that the Agoo framework engine returns GraphQL responses in a format that adheres to the official GraphQL specification, including proper JSON structure and error handling.
Ariadne Ensure that your Ariadne GraphQL server responses adhere to the official GraphQL specification by validating the response structure and data types.
Caliban Ensure that your Caliban GraphQL responses adhere to the official GraphQL specification by validating the response structure and data types.
Dgraph Ensure that your GraphQL response format adheres to the official GraphQL specification by validating the structure and data types returned by the Dgraph framework engine.
Dianajl Ensure that the GraphQL response format in the DianaJL framework engine adheres to the official GraphQL specification by returning data in a structured JSON format.
Directus Ensure Directus GraphQL responses adhere to the official GraphQL specification by validating the response structure and data types.
Flutter Ensure proper state management in Flutter by using providers or stateful widgets to maintain UI consistency.
Graphene Ensure that your GraphQL responses in the Graphene framework adhere to the official GraphQL specification by correctly structuring the JSON response format, including 'data', 'errors', and any additional fields as specified.
Graphqlapiforwp Ensure that your GraphQL API for WP framework engine adheres to the official GraphQL specification by validating the response format against the expected JSON structure.
Graphqlgophergo Ensure that your GraphQL responses adhere to the official GraphQL specification by validating the response format in the graphqlgophergo framework engine.
Graphqljava Ensure that your GraphQLJava framework engine adheres to the official GraphQL specification by validating response formats and using proper error handling mechanisms.
Graphqlphp Ensure your GraphQL response adheres to the official GraphQL specification by using the graphql-php library's built-in validation and serialization features.
Graphqlyoga Ensure that your GraphQL Yoga server responses adhere to the official GraphQL specification by correctly formatting the JSON response structure, including 'data' and 'errors' fields as necessary.
Hypergraphql Ensure that the HyperGraphQL framework engine adheres to the official GraphQL response format by validating the structure and data types of the response against the GraphQL specification.
Jaal Ensure that the Jaal framework engine adheres to the official GraphQL response format by validating the structure and data types of the response against the GraphQL specification.
Juniper Ensure that the Juniper framework engine adheres to the official GraphQL response format by validating the structure and data types in the JSON response against the GraphQL specification.
Lacinia Ensure that your GraphQL response in the Lacinia framework adheres to the official GraphQL specification by correctly structuring the JSON format, including 'data' and 'errors' fields as necessary.
Lighthouse Ensure that the Lighthouse framework engine is configured to follow best practices for performance and accessibility.
Mercurius Ensure that the GraphQL response format in Mercurius adheres to the official GraphQL specification by validating the structure and data types of the response.
Morpheusgraphql Ensure that the MorpheusGraphQL framework engine adheres to the official GraphQL response format by validating the structure and data types of the response against the GraphQL specification.
Qglgen Ensure that your gqlgen framework implementation adheres to the official GraphQL specification by validating the response format and structure.
Sangria Ensure that your Sangria GraphQL server responses adhere to the official GraphQL specification by correctly formatting the JSON output, including 'data', 'errors', and any additional fields as specified.
Shopify Ensure that your Shopify framework engine adheres to the official GraphQL specification by validating response formats and using parameterized queries to prevent injection vulnerabilities.
Stepzen Ensure your GraphQL response format adheres to the official GraphQL specification by validating the structure and data types in your StepZen engine configuration.
Strawberry Ensure that the Strawberry framework's GraphQL responses adhere to the official GraphQL specification by validating the response format and structure.
Tartiflette Ensure that your Tartiflette framework engine returns GraphQL responses in compliance with the official GraphQL specification by validating the response structure and data types.
Wpgraphql Ensure that your wpgraphql framework responses adhere to the official GraphQL specification by validating the structure and data types in your JSON responses.

REST Specific

Asp_net Ensure that your ASP.NET application is using the latest security patches and that input validation is properly implemented to prevent common vulnerabilities such as SQL injection and cross-site scripting (XSS). Utilize built-in features like request validation and encode output where necessary. Regularly review your code for security issues and adhere to best practices in secure coding.
Ruby_on_rails Ensure that your Ruby on Rails application uses the graphql-ruby gem correctly. Adhere to the official GraphQL specification by defining your types, queries, and mutations properly. Validate and sanitize all inputs to prevent injection attacks. Use the provided query execution methods without altering the response structure to maintain compliance with the GraphQL spec.
Next_js Ensure that your Next.js application uses the latest stable version, follows best practices for secure coding, and regularly audits dependencies for vulnerabilities using tools like npm audit or Snyk. Additionally, implement server-side rendering or static generation appropriately to optimize performance and SEO.
Laravel Ensure that your Laravel application uses the latest stable version of the GraphQL Laravel package, and strictly adhere to the official GraphQL specification for response formats. Validate responses with automated tests.
Express_js Ensure that your Express.js application properly validates and sanitizes user input to prevent injection attacks, and consistently handle errors to avoid leaking sensitive information.
Django Ensure that Django views return properly formatted JSON responses adhering to the GraphQL specification. Utilize the Graphene-Django library for seamless integration and compliance.
Symfony Ensure that your Symfony application's GraphQL endpoint properly constructs responses according to the official GraphQL specification. This includes using the correct JSON structure with 'data' for successful executions and 'errors' for exceptions. Utilize the webonyx/graphql-php library or similar to handle response formatting, and validate responses during development with tools like GraphiQL.
Spring_boot Ensure that your Spring Boot application's GraphQL responses adhere to the official GraphQL specification by using the appropriate libraries such as 'graphql-java' or 'graphql-spring-boot-starter'. Validate response formats during development with unit tests and integration tests.
Flask Ensure Flask responses conform to the official GraphQL specification by using a dedicated library such as Graphene. Structure your Flask views to serialize data using Graphene types and adhere to the correct content-type headers.
Nuxt Ensure Nuxt.js is configured to use the latest stable version, follow best practices for secure coding, and regularly update dependencies to mitigate potential vulnerabilities.
Fastapi Ensure that FastAPI endpoints are defined with appropriate response models to enforce a consistent and valid output structure as per the OpenAPI specification.
Frappe Ensure that your GraphQL response adheres to the official GraphQL specification by validating the response structure and data types in the Frappe framework.
Genzio Ensure that the GraphQL response format in the Genzio framework engine adheres to the official GraphQL specification by validating the structure and data types of the response.
Gin Ensure that your GraphQL responses in the Gin framework adhere to the official GraphQL specification by properly structuring the JSON output and handling errors according to the standard.
Gorilla Ensure that your GraphQL response adheres to the official GraphQL specification by validating the structure and data types in your Gorilla framework engine.
Hapi Ensure that your Hapi server's response format adheres to the official GraphQL specification by properly structuring your JSON responses and handling errors according to the GraphQL guidelines.
Hono Ensure that the GraphQL response format adheres to the official GraphQL specification by validating the structure and data types returned by the Hono framework engine.
Jersey Ensure that your Jersey framework engine is configured to handle GraphQL requests and responses according to the official GraphQL specification, including proper JSON formatting and error handling.
Koa Ensure that your Koa framework application properly handles GraphQL requests by validating the response format against the official GraphQL specification. This includes structuring responses in JSON format with appropriate fields such as 'data' and 'errors' to maintain compliance and improve client-side parsing.
Ktor Ensure that your Ktor application properly formats GraphQL responses according to the official GraphQL specification by using the appropriate serialization libraries and configuring them to output JSON in the correct structure.
Leptos Ensure that your Leptos framework engine is configured to handle state management efficiently to prevent memory leaks.
Macaron Ensure that your Macaron framework engine is configured to handle GraphQL responses in compliance with the official GraphQL specification.
Phoenix Ensure your Phoenix framework GraphQL responses adhere to the official GraphQL specification by using libraries like Absinthe to handle query parsing and response formatting.
Redwoodjs Ensure your GraphQL response adheres to the official GraphQL specification by validating the response structure in your RedwoodJS application.
Rocket Ensure that your Rocket framework engine is configured to handle GraphQL responses in compliance with the official GraphQL specification, particularly in terms of JSON formatting and structure.
Sveltekit Ensure that your SvelteKit application properly handles GraphQL responses by adhering to the official GraphQL specification, which includes using JSON format for responses and correctly managing errors and data fields.

Configuration

Identifier: schema/graphql_response_format

Examples

Ignore this check

checks:
  schema/graphql_response_format:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API9:2023
  • OWASP LLM: LLM02:2023
  • pci: 6.5.1
  • gdpr: Article-5
  • soc2: CC6
  • psd2: Article-98
  • iso27001: A.12.1
  • nist: SP800-95
  • fedramp: SI-10

Classification

  • CWE: 20

Score

  • CVSS_VECTOR: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References