A curated list of awesome GraphQL Security frameworks, libraries, software and resources.
- GraphQL Shield - GraphQL Shield helps you create a permission layer for your application.
- GraphQL Authz - GraphQL Shield helps you create a permission layer for your application.
- Escape - GraphQL Security - Continuous GraphQL Security Testing for Developers. Find and fix GraphQL security flaws in the CI/CD.
- GraphQL Cop - Utility to run common security tests against GraphQL APIs that can be run inside CI/CD.
- GraphQL Armor - Highly customizable security middleware for Apollo GraphQL and Envelop servers.
- WAF for GraphQL - Web Application Firewall for GraphQL APIs.
- Postman - Postman is an API platform for developers to design, build, test and iterate their APIs.
- Insomnia - Design and test GraphQL APIs with ease.
- Altair - Altair GraphQL Client helps you debug GraphQL queries and implementations. Also distributed as a Browser Extension.
- GraphMan - Generate a complete Postman collection from a GraphQL endpoint. Allows instant and easy discovery and exploration of the API.
- GraphQL Visualizer - Visualize GraphQL schema.
- Voyager - Represent any GraphQL API as an interactive graph.
- GraphQL Inspector – Validate schema, get schema change notifications, validate operations, find breaking changes, look for similar types, schema coverage.
- Graphinder - Blazing fast GraphQL endpoints finder using subdomain enumeration, scripts analysis and bruteforce.
- Graphw00f - GraphQL Server Engine Fingerprinting utility.
- Clairvoyance - Patrial introspection fetcher when introspection is disabled.
- GraphQL Path Enum – Tool that lists the different ways of reaching a given type in a GraphQL schema.
- ShapeShifter - Schema extraction to JSON file with introspection.
- GraphCrawler - A GraphQL automated security toolkit. Grab introspection, search for sensitive queries, and then test authorization.
- CrackQL - GraphQL password brute-force and fuzzing utility.
- GraphQLMap - A scripting engine to interact with a GraphQL endpoint for pentesting purposes.
- GraphQL.Security - One-click quick security scan of your GraphQL endpoints. Free, no login required.
- GraphQL Threat Matrix - GraphQL threat framework to research security gaps in GraphQL implementations.
- InQL - A Burp Extension for GraphQL Security Testing.
- BatchQL - GraphQL security auditing script with a focus on performing batch GraphQL queries and mutations.
- Damm Vulnerable GraphQL Application - Damn Vulnerable GraphQL Application is an intentionally vulnerable implementation of Facebook's GraphQL technology, to learn and practice GraphQL Security.
- Access Control Best Practices for GraphQL with Authentication and Authorization - Confusion between authentication and authorization causes data leaks. Learn the difference and how to implement the right access control pattern in your GraphQL API.
- Apollo Blog - Take your GraphQL skills to the next level with our free interactive GraphQL tutorials, videos, quizzes and code challenges.
- The GraphQL Security Blog - Learn about GraphQL security, performance, testing and building production-ready APIs with the latest tools and best practices of the GraphQL ecosystem.
- Aliasing Attacks - Addressing the Security concerns of GraphQL Aliases.
- File Inclusion and Directory Traversal - File Inclusion and Directory Traversal in GraphQL.
- GraphQL CSRF - Understanding and Dealing with Cross-Site Request Forgery Attacks (CSRF) in GraphQL.
- GraphQL Cyclic Queries and Depth Limiting - The relational aspect of GraphQL can be a vulnerability exploited by running deep and cyclic queries causing your API to crawl under the load and crash.
- HTTPS and GraphQL - How HTTPS can prevent Data Leaks.
- SQL Injection - SQL Injections in GraphQL.
- Verbose Errors Suggestions - When GraphQL Error Messages become a Security Issue.
Your contributions are always welcome! Please take a look at the contribution guidelines first.
We will keep some pull requests open if we are not sure whether those libraries are awesome, you could vote for them by adding 👍 to them.
If you have any question about this opinionated list, do not hesitate to contact us @escapetechHQ on Twitter or open an issue on GitHub.