This post is part of a series where I explore the GraphQL related features in Azure API Management. Part 1 - Expose an existing GraphQL API Part 2 - Expose an existing SOAP or REST API through GraphQL using the 'Synthetic GraphQL' feature Part 3 (this post) - Secure your GraphQL API using a GraphQL validation policy Because of the way that GraphQL is setup, it is typically not sufficient to secure our GraphQL api at the endpoint level. Therefore Azure API management introduces a GraphQL validation policy to secure and protect against GraphQL-specific attacks. Validate our GraphQL request Some typical GraphQL specific security issues are: Abusing the introspection API of our GraphQL endpoint to explore the full schema. (This is really handy during development but maybe something you don’t want to expose in production) Stressing our server by loading too much data in one go, for example trying to fetch the full graph in one request. Let’s see how
We’ll continue our exploration of the GraphQL features in Azure API Management by having a look at another feature; the possibility to transform an existing SOAP or REST API in an GraphQL API(Synthetic GraphQL). (If you missed the previous post in this series, have a look here .) Let's walk through the steps. The REST API Let’s first have a look at our REST API that we’ll use in this post. I’ve created an Azure Function that can be called through a GET request and returns a Person object(similar to the GraphQL API I used in the previous post). Here is the related code: Create a Synthetic GraphQL API Let’s see how we can expose this REST API as a ‘Synthetic GraphQL’ API through Azure API Management. Go to your Azure API Management instance in the Azure portal. From the side menu, select APIs in the APIs section: Choose Synthetic GraphQL under Define a new API : In the dialog box specify the following fields: Display name: The name