Supergraph Security with GraphOS Router

Protect your supergraph at its entry point, the router


As the public endpoint of a federated GraphQL API, a GraphOS Router has the responsibility for protecting its downstream subgraphs from malicious clients and their requests.

Its security features contribute to a defense-in-depth approach, where different authentication and authorization measures are applied in various places, from clients to the router itself to subgraphs. The supergraph can also be secured by having the router accept GraphQL operations from validated safelists of operations.

The features covered in this section include:

  • Authorization - define authorized access to GraphQL fields and types by annotating schemas with authorization primitives

  • Persisted Queries - configure the router to allow clients to register and persist cached lists of safe GraphQL queries and operations

  • Best Practices - best practices for securing supergraphs

  • CORS - control router access from browser-based clients

  • CSRF Prevention - configure cross-site request forgery (CSRF) prevention in the router

  • Request Limits - protect your router from requests exceeding network, parser, and operation-based limits

  • Demand Control - protect your graph from high-cost GraphQL operations

  • JWT Authentication - restrict access to credentialed users and systems with JSON Web Tokens (JWT)

  • Router Authentication - authorization and authentication strategies to secure your graph

  • Subgraph Authentication - implement subgraph authentication by using AWS SigV4