HardenPluginOptions
HardenPluginOptions
Options that can be passed to the .init()
static method of the HardenPlugin.
interface HardenPluginOptions {
maxQueryComplexity?: number;
queryComplexityEstimators?: ComplexityEstimator[];
logComplexityScore?: boolean;
customComplexityFactors?: {
[path: string]: number;
};
hideFieldSuggestions?: boolean;
apiMode?: 'dev' | 'prod';
}
maxQueryComplexity
number
1000
Defines the maximum permitted complexity score of a query. The complexity score is based on the number of fields being selected as well as other factors like whether there are nested lists.
A query which exceeds the maximum score will result in an error.
queryComplexityEstimators
ComplexityEstimator[]
An array of custom estimator functions for calculating the complexity of a query. By default, the plugin will use the defaultVendureComplexityEstimator which is specifically tuned to accurately estimate Vendure queries.
logComplexityScore
boolean
false
When set to true
, the complexity score of each query will be logged at the Verbose
log level, and a breakdown of the calculation for each field will be logged at the Debug level.
This is very useful for tuning your complexity scores.
customComplexityFactors
{ [path: string]: number; }
This object allows you to tune the complexity weight of specific fields. For example,
if you have a custom stockLocations
field defined on the ProductVariant
type, and
you know that it is a particularly expensive operation to execute, you can increase
its complexity like this:
Example
HardenPlugin.init({
maxQueryComplexity: 650,
customComplexityFactors: {
'ProductVariant.stockLocations': 10
}
}),
hideFieldSuggestions
boolean
true
Graphql-js will make suggestions about the names of fields if an invalid field name is provided. This would allow an attacker to find out the available fields by brute force even if introspection is disabled.
Setting this option to true
will prevent these suggestion error messages from being returned,
instead replacing the message with a generic "Invalid request" message.
apiMode
'dev' | 'prod'
'prod'
When set to 'prod'
, the plugin will disable dev-mode features of the GraphQL APIs:
- introspection
- GraphQL playground