Cloudflare Docs
API Shield
Visit API Shield on GitHub
Set theme to dark (⇧+D)

GraphQL malicious query protection

GraphQL is a query language for APIs. In addition to protecting RESTful APIs, Cloudflare can also protect GraphQL APIs.

GraphQL malicious query protection scans your GraphQL traffic for queries that could overload your origin and result in a denial of service. Customers can build rules that limit the query depth and size of incoming GraphQL queries in order to block suspiciously large or complex queries.

​​ Availability

GraphQL malicious query protection is available for all API Shield customers. Enterprise customers who have not purchased API Shield can get started by enabling the API Shield trial in the Cloudflare dashboard or contacting your account manager.

​​ Limitations

Our initial release is limited in the body request size that it can parse. This limit will be lifted in a future release. Additionally, we currently inspect only POST requests with content-types of application/json or application/graphql where the queries do not contain fragments or multiple operations. Parsing and rules are limited to paths ending in /graphql.