Skip to content
Cloudflare Docs
Docs DirectoryAPIsSDKs

GraphQL malicious query protection

GraphQL is a query language for APIs. In addition to protecting RESTful APIs, Cloudflare can also protect GraphQL APIs.

GraphQL malicious query protection scans your GraphQL traffic for queries that could overload your origin and result in a denial of service. You can build rules that limit the query depth and size of incoming GraphQL queries in order to block suspiciously large or complex queries.

Availability

GraphQL malicious query protection is available for all API Shield customers. Enterprise customers who have not purchased API Shield can preview API Shield as a non-contract service in the Cloudflare dashboard or by contacting your account team.

Limitations

The following limitations apply:

  • Parsing is limited to GraphQL POST bodies smaller than 20 KB. This limit will be raised in a future release.
  • Only POST requests with content types of application/json or application/graphql are inspected.
  • Queries containing fragments or multiple operations are not supported.
  • Parsing and rules are limited to paths ending in /graphql.