The HardenPlugin hardens the Shop and Admin GraphQL APIs against attacks and abuse.
It is a recommended plugin for all production configurations.
yarn add @vendure/harden-plugin
or
npm install @vendure/harden-plugin
Then add the HardenPlugin, calling the .init() method with HardenPluginOptions:
Example
The maxQueryComplexity option determines how complex a query can be. The complexity of a query relates to how many, and how
deeply-nested are the fields being selected, and is intended to roughly correspond to the amount of server resources that would
be required to resolve that query.
The goal of this setting is to prevent attacks in which a malicious actor crafts a very complex query in order to overwhelm your server resources. Here's an example of a request which would likely overwhelm a Vendure server:
This evil query has a complexity score of 2,443,203 - much greater than the default of 1,000!
The complexity score is calculated by the graphql-query-complexity library, and by default uses the defaultVendureComplexityEstimator, which is tuned specifically to the Vendure Shop API.
Note: By default, if the "take" argument is omitted from a list query (e.g. the products or collections query), a default factor of 1000 is applied.
The optimal max complexity score will vary depending on:
You should aim to set the maximum as low as possible while still being able to service all the requests required.
This will take some manual tuning.
While tuning the max, you can turn on the logComplexityScore to get a detailed breakdown of the complexity of each query, as well as how
that total score is derived from its child fields:
Example
With logging configured as above, the following query:
will log the following breakdown: