Skip to main content

Width limit


GraphQL defines the maximum width of a query as the maximum number of subfields queried from one field.

If no limit is set on query width, clients may therefore craft a complex query that could lead to potential DoS attacks or information leakage.


Set a threshold on the maximum number of subfields that can be queried simultaneously.

GraphQL Specific


Add a module to compute query complexity and set a threshold on this complexity so that overly broad requests get canceled.

For a user-friendly module which requires no schema modification whatsoever, check out the graphql-validation-complexity module.

import { createComplexityLimitRule } from 'graphql-validation-complexity';

const ComplexityLimitRule = createComplexityLimitRule(1000);

const apolloServer = new ApolloServer({
validationRules: [ComplexityLimitRule],

For a more customizable module that lets you manually configure the cost of each field/type of your schema, take a look at the graphql-cost-analysis module.

This second option is best suited for a more realistic complexity estimator as all fields may not be equal in terms of complexity.

To learn more on complexity estimation, you can read: Securing Your GraphQL API from Malicious Queries.


Hasura allows you to set a width (=node) limit.

To do so:

  • Go to Project Console > Security Settings > API Limits.
  • Click on "Global".
  • Set a node limit (e.g., 15).

With graphene-django, it is possible to implement a custom GraphQL backend to limit query complexity, such as this one: graphene-django query cost analysis / complexity limits.


Identifier: resource_limitation/graphql_width_limit


  • threshold : Maximum width before raising an alert (-1 = infinite).


Ignore this check

"checks": {
"resource_limitation/graphql_width_limit": {
"skip": true


  • Escape Severity: LOW
    • OWASP: API4:2023
    • PCI DSS: 6.5.8
    • CWE
      • 20
      • 400
      • 664
      • 770
    • WASC: WASC-10


  • CVSS_SCORE: 5.1