Pagination limits
Enforce bounded page sizes and pagination windows so list queries cannot request unbounded result sets.
Applies to
- GraphQL servers
- Gateways and proxies
Why this should be default
GraphQL should typically only be used to fetch the data displayed on the screen. Additional data should be fetched as and when it is needed. Allowing API clients to request unbounded results places a performance burden on servers and backend infrastructure that could lead to denial of service and similar issues. Additionally, GraphQL allows fetching nested lists, multiplying result sets. Bounding page sizes helps to limit this growth.
Addresses
Implementing solutions
Notes
Trusted documents reduce untrusted query risk, but even trusted operations can still request too much data via variables unless pagination is bounded.