Security check

GraphQL security: is your API leaking or overloading?

GraphQL moves power to the client — and with it the risk. We check whether your API leaks its schema, allows queries that are too deep or too expensive, and lacks field-level access control.

Run a free domain scan All checks →
Relates to: OWASP · API Security Top 10 ISO 27001 · A.8.26 application security requirements NIS2 · art. 21 — secure development

What we check

We review your exposed GraphQL endpoint: is introspection enabled in production (leaking the whole schema), is there protection against overly deep/complex queries and batching abuse, and is access controlled per field — or is one query enough to reach data a user shouldn't see?

Why it matters

GraphQL's flexibility makes classic flaws worse: an open schema shows the attacker exactly what exists, unbounded query depth becomes an easy DoS, and missing field-level authorization leaks data that REST endpoints would have protected. These are the most common GraphQL findings in practice.

How Security Guru tests it

Common mistakes

  • Introspection enabled in production — the whole schema public
  • No depth or complexity limits → easy DoS via one query
  • Per-request rate limiting bypassed with aliasing/batching
  • Authorization at the endpoint level but not per field

What you get in the report

  • Introspection and schema exposure status
  • Missing depth/complexity/batching protections
  • Fields without proper access control
  • Prioritised fix list mapped to OWASP API Top 10

FAQ

Do you run real attacks against our API?

No — the check is non-intrusive. We verify configuration and exposure without loading or exfiltrating data.

Do you cover both Apollo and other servers?

Yes — the checks apply to the GraphQL layer regardless of server (Apollo, Hasura, custom, etc.).

Is this part of an API review?

Yes — GraphQL-specific flaws are part of our review of exposed APIs.

Want to know your status?

Run a free scan or order a full Security Assessment — prioritised, not noise.

Run a free domain scan