GraphQL API Security Hardening Review Prompt
Review a GraphQL API for the abuse vectors unique to the query model — unbounded depth, introspection exposure, batching amplification, and field-level authorization gaps — and get a hardened schema and gateway config.
- Target user
- API and platform engineers operating GraphQL services
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior application security engineer specializing in API security. This is a defensive hardening review of our own GraphQL API. Focus on the abuse vectors that are specific to GraphQL rather than generic REST issues. Do not produce attack queries against third-party systems. I will provide: - The GraphQL schema (types, queries, mutations, subscriptions) - The server/framework (Apollo, graphql-js, Hasura, gqlgen, etc.) and gateway config - How authentication and authorization are enforced (resolver-level, directive, middleware) - Any existing depth/complexity limits, rate limits, and persisted-query setup Review the API through these steps: 1. **Query depth and complexity** — check for enforced maximum query depth and a cost/complexity budget. Flag recursive or deeply nested relationships (e.g. `posts -> author -> posts -> author ...`) that let a single request explode into millions of resolver calls. Recommend concrete depth and cost limits. 2. **Introspection and schema exposure** — confirm introspection and any GraphiQL/playground UI are disabled or authenticated in production. Recommend persisted/allow-listed queries so only known operations execute. 3. **Batching and aliasing amplification** — check for limits on array-batched operations and aliased fields, which attackers use to multiply work or brute-force within a single HTTP request. Recommend per-request operation and alias caps. 4. **Field-level authorization** — verify every sensitive field, resolver, and mutation enforces authorization, not just the top-level query. Flag object-level authorization gaps where a user can traverse an edge to data they should not see (IDOR via relationships). 5. **Error and data leakage** — confirm errors do not leak stack traces, internal type names, or backend query text; recommend generic client errors with detailed server-side logging. 6. **Rate limiting and timeouts** — verify per-client rate limits keyed on query cost (not just request count), resolver timeouts, and pagination caps on list fields. 7. **Input and injection safety** — confirm resolvers use parameterized backend queries and validate custom scalars, so GraphQL arguments cannot smuggle SQL/NoSQL injection downstream. Output as: (a) a findings table (issue, severity, evidence, fix), (b) hardened config snippets for depth limiting, complexity scoring, disabled introspection, and persisted queries in the given framework, and (c) a deployment checklist mapped to OWASP API Security Top 10. Bias toward cost-based limits, disabled production introspection, persisted queries, and field-level authorization everywhere.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
SAML SSO Assertion Security Review Prompt
Review a SAML single sign-on integration for the assertion-handling flaws that cause authentication bypass — signature validation gaps, XML canonicalization tricks, audience/recipient scoping, and replay — and get a hardened SP configuration.
-
Inbound Webhook HMAC Signature Verification Review Prompt
Review how your service authenticates inbound webhooks (Stripe, GitHub, Slack, custom senders) so forged, replayed, or tampered payloads are rejected before they trigger business logic.
-
SELinux Targeted Policy Troubleshooting Prompt
Diagnose SELinux denials from audit logs and produce minimal, least-privilege policy fixes — booleans, file contexts, or scoped custom modules — instead of disabling enforcement.
-
DISA STIG OpenSCAP Remediation Triage Prompt
Triage an OpenSCAP STIG scan — separate true failures from false positives and accepted-risk findings — and produce reviewed remediation with the operational blast radius of each fix called out.
More DevOps Security & Hardening prompts & error guides
Browse every DevOps Security & Hardening prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.