Protecting GraphQL APIs from malicious queries

In this post, we explore how we built a high-performance GraphQL query parser at the edge with Rust and without allocating any heap memory. The need for such a parser emerged when we wanted to provide more visibility into our customers’ traffic patterns by calculating depth and size of their received GraphQL queries. We were able to achieve this while keeping the parsing time under 50 microseconds for p95, which is an impressive performance feat. We started by converting raw GraphQL input into a list of lexical tokens according to the GraphQL grammar using Rust and then built our validation engine to calculate query depth and size in one pass. This allowed us to provide valuable data insights that can be used to protect against potential security threats or create more effective rate limiting policies for API Gateway customers. We have also started integrating this functionality with existing features such as complexity-based rate limiting, allowing customization of endpoint-specific protections, and providing data insights on the relationship between query complexity and response time from the customer origin. These improvements will enable our users to better manage their GraphQL APIs' security and performance while reducing operational overhead. Overall, this project highlights the power of Rust as a language for building efficient solutions like Cloudflare’s API Gateway.