Skip to main content

Batch Limit


Some GraphQL engines support batching of multiple queries into a single request. This allows users to request multiple objects or multiple instances of objects efficiently. However, an attacker can leverage this feature to evade many security measures, including rate limiting.


Disable or limit queries batching in your GraphQL engine.

GraphQL Specific


To address potential issues within the Apollo framework engine, ensure that all dependencies are up-to-date, utilize the built-in security features such as schema validation and rate limiting, and follow best practices for error handling and logging. Regularly review the Apollo documentation for any updates on security advisories and recommended practices.


For the Yoga framework engine, ensure that all user inputs are properly sanitized to prevent injection attacks. Implement input validation checks to restrict the type and format of data that can be entered. Regularly update the framework and its dependencies to patch any known vulnerabilities. Additionally, consider using security middleware that can help protect against common web threats. Always follow best practices for security within the Yoga framework environment.


To address potential issues with the AWS AppSync framework engine, ensure that you implement batch limits to prevent overloading the system. This can be achieved by setting appropriate limits on the number of records processed in a single batch request. Additionally, monitor the performance and adjust the batch sizes as necessary to optimize throughput while maintaining system stability.


To mitigate the risk of injection attacks in the GraphQL Go framework, ensure that all user-supplied inputs are validated and sanitized. Use prepared statements with variable binding for all database queries to prevent injection vulnerabilities. Additionally, implement proper error handling to avoid exposing sensitive information through error messages. Regularly review and update your security practices to address new and emerging threats.


In the GraphQL Ruby framework, ensure that you implement batch loading to avoid the N+1 query problem. Utilize the batch-loader gem or the built-in GraphQL::Batch mechanism to efficiently load associated records in a single query. This will help in reducing the number of database hits and improve the performance of your GraphQL API. Additionally, set a limit on the maximum query depth and complexity to prevent overly complex queries from overloading the server. Use the max_depth and max_complexity settings provided by the framework to enforce these limits.


To prevent potential performance issues with the Hasura framework engine, it is recommended to implement a batch limit on queries. This can be achieved by setting a maximum number of rows that can be fetched or mutated in a single request. You can configure this limit in the Hasura console under the 'Settings' tab, or by using the HASURA_GRAPHQL_BATCH_SIZE environment variable. By enforcing a batch limit, you ensure that the system remains responsive and stable, even when handling large datasets or complex queries.


Identifier: resource_limitation/graphql_batch_limit


  • threshold : Maximum number of batched documents allowed to be sent


Ignore this check

skip: true


  • Escape Severity: LOW


  • OWASP: API8:2023
  • pci: 6.5.10
  • gdpr: Article-32
  • soc2: CC1
  • psd2: Article-95
  • iso27001: A.14.2
  • nist: SP800-53
  • fedramp: AC-2



  • CVSS_SCORE: 4.9