Configure GraphQL malicious query protection via the API
Use the Cloudflare GraphQL API to gather data about your GraphQL API’s current usage and configure Cloudflare’s GraphQL malicious query protection to log or block malicious queries.
Query size is defined as the number of terminal fields (leaves) in the query, whereas query depth is the deepest level at which a leaf is present. For example, the size of this query will be reported as
4 (terminalField[1-4] all contribute to this counter), and the depth will be reported as
3 (terminalField3 and terminalField4 are at depth level 3).
Using the new
apiGatewayGraphqlQueryAnalyticsGroups node in the Cloudflare GraphQL API, you can retrieve
apiGatewayGraphqlQuerySize and
apiGatewayGraphqlQueryDepth dimensions.
With the above query, you will get the following response:
In the response example, Cloudflare observed 10 requests with depth 1 and size 11, and 10 requests with depth 1 and size 2 in the selected timeframe.
You can use the response to compute percentiles across the attributes and set a threshold on what is allowed. For example, you can use a simple heuristic like
1.5 * p99 for query size or depth.
Here is a simple Python script that will report query size and depth p-levels given the GraphQL API response output above (as a JSON file):
With the above query, you will get the following output:
API Shield customers now have three new fields available in custom rules:
cf.api_gateway.graphql.query_sizedescribes the size of a GraphQL query.
cf.api_gateway.graphql.query_depthdescribes the depth of a GraphQL query.
cf.api_gateway.graphql.parsed_successfullydescribes whether Cloudflare was able to parse the query. Presently, we run best-effort parsing, meaning we might not be able to parse some valid queries. This means that you must use a
and cf.api_gateway.graphql.parsed_successfullyfilter in your custom rules when deploying GraphQL security rules.
For example, you can deploy the following rule via the API or the dashboard to block queries that are deeply nested and ask for over 30 fields.
