Pluralsight: Securing a GraphQL API with Apollo 3 2020

Question 1

03 Implementing Cookie Authentication for Apollo Server and Client

Compare Cookie Auth and Header Auth in context of vulnerability.

Answer 1

1. Cookie is vulnerable to CSRF
2. Header is vulnerable to XSS

Question 2

04 Restricting Access for Types and Fields with Roles and Permissions

Where authorization can be put? (3 options)

Answer 2

1. in resolvers
2. in model
3. using schema directives

Question 3

05 Protecting Against Large and Malicious Queries / 01 Introduction

Mention 3 threats related to using GraphQL

Answer 3

1. Multiple requests withing a short time
2. Deeply nested queries
3. Complex queries

Question 4

05 Protecting Against Large and Malicious Queries / 04 Implementing Protection Against Query Complexity

How to protect against query complexity in Apollo Server?

Answer 4

1. Install library graphql-validation-complexity
2. Define cost above which query is rejected
3. Use schema directive to define cost of retrieving specific fields (otherwise default one is used)