GraphQL moves power to the client — and with it the risk. We check whether your API leaks its schema, allows queries that are too deep or too expensive, and lacks field-level access control.
Run a free domain scan All checks →We review your exposed GraphQL endpoint: is introspection enabled in production (leaking the whole schema), is there protection against overly deep/complex queries and batching abuse, and is access controlled per field — or is one query enough to reach data a user shouldn't see?
GraphQL's flexibility makes classic flaws worse: an open schema shows the attacker exactly what exists, unbounded query depth becomes an easy DoS, and missing field-level authorization leaks data that REST endpoints would have protected. These are the most common GraphQL findings in practice.
Do you run real attacks against our API?
No — the check is non-intrusive. We verify configuration and exposure without loading or exfiltrating data.
Do you cover both Apollo and other servers?
Yes — the checks apply to the GraphQL layer regardless of server (Apollo, Hasura, custom, etc.).
Is this part of an API review?
Yes — GraphQL-specific flaws are part of our review of exposed APIs.
Run a free scan or order a full Security Assessment — prioritised, not noise.
Run a free domain scan