Skip to main content

Width limit


GraphQL defines the maximum width of a query as the maximum number of subfields queried from one field.

If no limit is set on query width, clients may therefore craft a complex query that could lead to potential DoS attacks or information leakage.


Set a threshold on the maximum number of subfields that can be queried simultaneously.


Add a module to compute query complexity and set a threshold on this complexity so that overly broad requests get canceled.

For a user-friendly module which requires no schema modification whatsoever, check out the graphql-validation-complexity module.

import { createComplexityLimitRule } from 'graphql-validation-complexity';

const ComplexityLimitRule = createComplexityLimitRule(1000);

const apolloServer = new ApolloServer({
validationRules: [ComplexityLimitRule],

For a more customizable module that lets you manually configure the cost of each field/type of your schema, take a look at the graphql-cost-analysis module.

This second option is best suited for a more realistic complexity estimator as all fields may not be equal in terms of complexity.

To learn more on complexity estimation, you can read: Securing Your GraphQL API from Malicious Queries.


With graphene-django, it is possible to implement a custom GraphQL backend to limit query complexity, such as this one: graphene-django query cost analysis / complexity limits.


Hasura allows you to set a width (=node) limit.

To do so: -Go to Project Console > Security Settings > API Limits. -Click on "Global". -Set a node limit (e.g., 15).


CheckId: complexity/width_limit


  • threshold : Maximum width before raising an alert (-1 = infinite).


Ignoring this check

"checks": {
"complexity/width_limit": {
"skip": true

Check with all default options

"checks": {
"complexity/width_limit": {
"options": {
"threshold": 20


  • Escape Severity: LOW
  • OWASP: A04:2023
  • PCI DSS: 6.5.8
  • CWE
    • 20
    • 400
    • 664
    • 770
  • WASC: 10


  • CVSS_SCORE: 5.1