Secure your GraphQL APIs in a few clicks

Declaratively protect your GraphQL APIs with Hasura Cloud

  • TickSecure by default
  • TickFully configurable API limits and Allow Lists
  • TickFlexible and powerful Authorization Rules

Prevent malicious requests and abuse

API performance issues are typically caused by malicious or poorly implemented queries. Hasura Cloud lets you configure limits and restrict operations to prevent abuse.

  • TickRestrict the number of GraphQL operations per minute.
  • TickConfigure it per IP / per role / per user
  • TickRestrict the operation based on the depth of GraphQL query.
  • TickSet a limit on the total number of GraphQL nodes to prevent unintentional usage and inflated database billing.
GraphQL Query
Try making more than 10 requests/min
query { films(limit: 5) { id title rating release_year } }
{ "data": { "films": [ { "id": 1, "title": "Academy Dinosaur", "rating": "PG", "release_year": 2006 }, { "id": 2, "title": "Ace Goldfinger", "rating": "G", "release_year": 2006 }, { "id": 3, "title": "Adaptation Holes", "rating": "NC-17", "release_year": 2006 }, { "id": 4, "title": "Affair Prejudice", "rating": "G", "release_year": 2006 }, { "id": 5, "title": "African Egg", "rating": "G", "release_year": 2006 } ] } }
GraphQL Query
query { films(limit: 5) { id title rating categories { category_id category { id name } } } }
{ "errors": [ { "extensions": { "path": "$", "code": "node-and-depth-limit-exceeded" }, "message": "operation node and depth limit exceeded" } ] }
GraphQL Query
query { films(limit: 5) { id title rating release_year categories { category_id } actors { actor_id } } }
{ "errors": [ { "extensions": { "path": "$", "code": "node-limit-exceeded" }, "message": "operation node limit exceeded" } ] }

Prevent API Scraping and Excessive Data Exposure

Turn off Schema Introspection in Production
GraphQL’s schema and type system and its introspection capabilities is the backbone behind all of the tooling around it. But for apps running in production, you do not want to inadvertently expose the schema or allow scraping of your APIs.

Disable schema introspection globally for your API using Hasura Console or declaratively using Metadata
Prevent API Scraping and Excessive Data Exposure


Allow Lists

Allow Lists

  • Allow lists can be configured to safely allow a limited number of GraphQL operations (queries/mutations/subscriptions) for your project.
  • Review and approve operations.
  • Explicitly add Introspection queries if required.
Allow Lists
Service Level Security

Service Level Security

Hasura uses PostgreSQL prepared statements where parsing is skipped and only planning and execution takes place.

  • Manage team collaboration with varying levels of access.
  • Set CORS policies to accept only a select set of domains to query from the client side.
  • Protected with an admin secret by default All Hasura Cloud projects come pre-configured with an admin secret by default.
Service Level Security


  • Configure role based permissions
  • Access control rules for CRUD
  • Secure your remote GraphQL API declaratively

Frequently Asked Questions

How is security different in GraphQL?
GraphQL has a single endpoint and a dynamic request body. Traditional methods of limiting URL access won’t work with GraphQL.
Does the introspection feature make GraphQL vulnerable?
GraphQL Introspection exposes the underlying schema that can be queried against the endpoint, thus being vulnerable to attacks. It is very useful during development but is recommended to disable in production.
What kind of security can be added based on GraphQL nodes?
Authorization rules can be added for each node and limiting which nodes can be accessed can be configured too.
Can we only allow a selected list of queries to be made against a GraphQL API?
Hasura supports Allow Lists that lets you configure a list of queries that needs to be available for your production app. Every other request will be rejected.
How do you perform authentication with GraphQL?
Authentication with GraphQL typically depends on the provider being used. For example, if you are using a JWT solution with Hasura, you can pass the access token in the header.