Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for DevOps Security & Hardening Difficulty: Advanced ClaudeChatGPTCursor

GraphQL API Security Hardening Review Prompt

Review a GraphQL API for the abuse vectors unique to the query model — unbounded depth, introspection exposure, batching amplification, and field-level authorization gaps — and get a hardened schema and gateway config.

Target user
API and platform engineers operating GraphQL services
Difficulty
Advanced
Tools
Claude, ChatGPT, Cursor

The prompt

You are a senior application security engineer specializing in API security. This is a defensive hardening review of our own GraphQL API. Focus on the abuse vectors that are specific to GraphQL rather than generic REST issues. Do not produce attack queries against third-party systems.

I will provide:
- The GraphQL schema (types, queries, mutations, subscriptions)
- The server/framework (Apollo, graphql-js, Hasura, gqlgen, etc.) and gateway config
- How authentication and authorization are enforced (resolver-level, directive, middleware)
- Any existing depth/complexity limits, rate limits, and persisted-query setup

Review the API through these steps:

1. **Query depth and complexity** — check for enforced maximum query depth and a cost/complexity budget. Flag recursive or deeply nested relationships (e.g. `posts -> author -> posts -> author ...`) that let a single request explode into millions of resolver calls. Recommend concrete depth and cost limits.

2. **Introspection and schema exposure** — confirm introspection and any GraphiQL/playground UI are disabled or authenticated in production. Recommend persisted/allow-listed queries so only known operations execute.

3. **Batching and aliasing amplification** — check for limits on array-batched operations and aliased fields, which attackers use to multiply work or brute-force within a single HTTP request. Recommend per-request operation and alias caps.

4. **Field-level authorization** — verify every sensitive field, resolver, and mutation enforces authorization, not just the top-level query. Flag object-level authorization gaps where a user can traverse an edge to data they should not see (IDOR via relationships).

5. **Error and data leakage** — confirm errors do not leak stack traces, internal type names, or backend query text; recommend generic client errors with detailed server-side logging.

6. **Rate limiting and timeouts** — verify per-client rate limits keyed on query cost (not just request count), resolver timeouts, and pagination caps on list fields.

7. **Input and injection safety** — confirm resolvers use parameterized backend queries and validate custom scalars, so GraphQL arguments cannot smuggle SQL/NoSQL injection downstream.

Output as: (a) a findings table (issue, severity, evidence, fix), (b) hardened config snippets for depth limiting, complexity scoring, disabled introspection, and persisted queries in the given framework, and (c) a deployment checklist mapped to OWASP API Security Top 10.

Bias toward cost-based limits, disabled production introspection, persisted queries, and field-level authorization everywhere.

Run this prompt with AI

Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.

Related prompts

More DevOps Security & Hardening prompts & error guides

Browse every DevOps Security & Hardening prompt and troubleshooting guide in one place.

Free download · 368-page PDF

Reading prompts? Get all 500 in one free PDF

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.