GraphQL Response Format
Description
This test checks that your GraphQL response format matches the offciel GraphQL specification.
Remediation
Make sure that the response format matches the official GraphQL specification.
GraphQL Specific
Apollo
Ensure that the Apollo server is configured to validate and sanitize user input to prevent injection attacks. Use a combination of schema validation, custom directives, and depth limiting to control the structure and complexity of the queries. Additionally, implement error handling that does not expose sensitive information in the GraphQL responses.
Yoga
Ensure that the Yoga GraphQL server implementation properly validates and sanitizes user input to prevent injection attacks. Implement a robust error handling strategy that does not expose stack traces or sensitive information in the GraphQL responses. Regularly update the Yoga framework to incorporate security patches and improvements.
Awsappsync
Ensure that the AWS AppSync GraphQL API is configured to validate and sanitize user input to prevent injection attacks. Use strong, non-nullable types in your schema whenever possible, and leverage AWS AppSync's built-in validation capabilities. Additionally, implement authorization checks and resolvers to control access to data and operations, and consider using AWS WAF to add another layer of security.
Graphqlgo
Ensure that the GraphQL Go framework engine properly validates and sanitizes user input to prevent injection attacks. Implement a strong type system and use parameterized queries to handle data fetching. Additionally, employ query complexity analysis to prevent denial-of-service attacks caused by resource-intensive queries. Regularly update the framework to incorporate security patches and improvements.
Graphqlruby
Ensure proper validation and sanitization of user-supplied input to prevent injection attacks. Utilize the GraphQL-Ruby's built-in mechanisms for parameterized queries and argument validation. Regularly update the GraphQL-Ruby framework to incorporate the latest security patches and features.
Hasura
Ensure that the Hasura GraphQL engine is configured to validate and sanitize user input to prevent injection attacks. Use allow-lists for queries and mutations, and apply appropriate permissions and role-based access controls to limit exposure of sensitive data. Regularly review and update security configurations in line with best practices.
REST Specific
Asp_net
Ensure that your ASP.NET application is using the latest security patches and that input validation is properly implemented to prevent common vulnerabilities such as SQL injection and cross-site scripting (XSS). Utilize built-in features like request validation and encode output where necessary. Regularly review your code for security issues and adhere to best practices in secure coding.
Ruby_on_rails
Ensure that your Ruby on Rails application uses the graphql-ruby gem correctly. Adhere to the official GraphQL specification by defining your types, queries, and mutations properly. Validate and sanitize all inputs to prevent injection attacks. Use the provided query execution methods without altering the response structure to maintain compliance with the GraphQL spec.
Next_js
Ensure that your Next.js application uses the latest stable version, follows best practices for secure coding, and regularly audits dependencies for vulnerabilities using tools like npm audit or Snyk. Additionally, implement server-side rendering or static generation appropriately to optimize performance and SEO.
Laravel
Ensure that your Laravel application uses the latest stable version of the GraphQL Laravel package, and strictly adhere to the official GraphQL specification for response formats. Validate responses with automated tests.
Express_js
Ensure that your Express.js application properly validates and sanitizes user input to prevent injection attacks, and consistently handle errors to avoid leaking sensitive information.
Django
Ensure that Django views return properly formatted JSON responses adhering to the GraphQL specification. Utilize the Graphene-Django library for seamless integration and compliance.
Symfony
Ensure that your Symfony application's GraphQL endpoint properly constructs responses according to the official GraphQL specification. This includes using the correct JSON structure with 'data' for successful executions and 'errors' for exceptions. Utilize the webonyx/graphql-php library or similar to handle response formatting, and validate responses during development with tools like GraphiQL.
Spring_boot
Ensure that your Spring Boot application's GraphQL responses adhere to the official GraphQL specification by using the appropriate libraries such as 'graphql-java' or 'graphql-spring-boot-starter'. Validate response formats during development with unit tests and integration tests.
Flask
Ensure Flask responses conform to the official GraphQL specification by using a dedicated library such as Graphene. Structure your Flask views to serialize data using Graphene types and adhere to the correct content-type headers.
Nuxt
Ensure Nuxt.js is configured to use the latest stable version, follow best practices for secure coding, and regularly update dependencies to mitigate potential vulnerabilities.
Fastapi
Ensure that FastAPI endpoints are defined with appropriate response models to enforce a consistent and valid output structure as per the OpenAPI specification.
Configuration
Identifier:
schema/graphql_response_format
Examples
Ignore this check
checks:
schema/graphql_response_format:
skip: true
Score
- Escape Severity: INFO
Compliance
- OWASP: API9:2023
- pci: 6.5.1
- gdpr: Article-5
- soc2: CC6
- psd2: Article-98
- iso27001: A.12.1
- nist: SP800-95
- fedramp: SI-10