You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Earlier this month we experienced very poor performance and very slow queries on our public endpoint. It became clear the setup we had didn't have sufficient horsepower to handle large number of concurrent requests (especially expensive queries).
We beefed up our servers and enabled horizonal scaling (on the same machine with pm2 cluster) in additional to have network load balancer to horizontally scale to multiple nodes. This helped tremendously.
However it is not enough. We can certainly write good efficient graphql queries in our applications, but ultimately for a public endpoint we must assume there will always be some bad actors that want to abuse/disrupt operations.
There are many guides and best practices that we can and should follow. Here are some particularly good ones:
Incidentally graphql-armor developer also provide a free public service https://graphql.security/ to scan graphql endpoints for vulnerabilities. This is how I originally came to realize the default configuration for our graphql-server is not very secure.
There is a wealth of guides and tools available at the-guild-dev to look at and learn from.
The text was updated successfully, but these errors were encountered:
Earlier this month we experienced very poor performance and very slow queries on our public endpoint. It became clear the setup we had didn't have sufficient horsepower to handle large number of concurrent requests (especially expensive queries).
We beefed up our servers and enabled horizonal scaling (on the same machine with pm2 cluster) in additional to have network load balancer to horizontally scale to multiple nodes. This helped tremendously.
However it is not enough. We can certainly write good efficient graphql queries in our applications, but ultimately for a public endpoint we must assume there will always be some bad actors that want to abuse/disrupt operations.
There are many guides and best practices that we can and should follow. Here are some particularly good ones:
One particular tool that stood out.
https://graphql.wtf/episodes/55-graphql-armor
Incidentally
graphql-armor
developer also provide a free public service https://graphql.security/ to scan graphql endpoints for vulnerabilities. This is how I originally came to realize the default configuration for our graphql-server is not very secure.There is a wealth of guides and tools available at the-guild-dev to look at and learn from.
The text was updated successfully, but these errors were encountered: