Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Personally I found GraphQL to be a God-sent for prototyping. Tools such as Hasura and postgraphile are just amazing to whip out fully-working backend very quickly. I do agree with some of the posts though about security being a bit of a hassle. It's not impossible to secure GraphQL endpoints (e.g. through row-level or column-level security for Postgres-based backend) but it's not as straight-forward as securing REST endpoint.


That's the reason we have developed field-level access control [1] with policies on the top of rating-limiting [2] for Metatype.

[^1] https://metatype.dev/docs/tutorials/policies-and-materialize...

[^2] https://metatype.dev/docs/tutorials/authentication-and-secur...


If you consume your own graphql endpoint you can add some layer of security by only allowing predefined queries and inspect the provided query variables. I use PostGraphile as an Express middleware and only allow whitelisted requests.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: