Create a new blog article Open Source GraphQL security & add Nohe from Escape among authors #1464
Conversation
…urce-graphqlsecurity-thumbnail.png
|
Hey @AlexandraC0, can you please run prettier on the files (https://github.com/the-guild-org/website/actions/runs/6707175064/job/18227493571?pr=1464)? |
|
Hey @n1ru4l, author here, ran prettier and changed headings to comply with your linter :) |
|
Hi @n1ru4l Is everything ok now? :) |
There was a problem hiding this comment.
This is really great and I'm really happy for this (sorry it took me a while to review)
I've added some comments and I'll also add that usually in our blog we try to keep the general writing short and to the point
I think in general there are some things that could be made shorter but overall this is a great post and I can't wait to get it out!
| well-established and with a lots of queries on a daily basis, ensuring their security becomes | ||
| crucial. | ||
|
|
||
| In this exploration, we'll dive into how these open-source practices are important and benefic for |
There was a problem hiding this comment.
| In this exploration, we'll dive into how these open-source practices are important and benefic for | |
| In this exploration, we'll dive into how these open-source practices are important and benefits for |
There was a problem hiding this comment.
I think both works here, with slightly different meanings, but I'll do as you prefer :)
| spreading the word about new dangers fast and wide. It’s our shared language and memory for | ||
| cybersecurity issues, helping us all to better safeguard our digital spaces from known threats. | ||
| Making sure that vulnerabilites are made public can seem counter-intuitive at first glance, but is a | ||
| massive need to ensure that fixes or other security measures are deployed rapidely and widely. |
There was a problem hiding this comment.
This is a very important point but that I think a lot of people don't get.
I think giving very known examples on how the most secure things are open source is important.
We need to have a very clear explanation of why open source things are safer
There was a problem hiding this comment.
Agreed, I'll try to make this clearer and more impactful
|
|
||
| ### Defensive Tools | ||
|
|
||
| 1. **[GraphQL Shield](https://github.com/dimatill/graphql-shield)** |
There was a problem hiding this comment.
I would place GraphQL Armor first - we know its maintained
GraphQL Shield is a bit less maintained - I wonder if Escape would be interested in helping also maintain this project?
There was a problem hiding this comment.
You're right! I don't know if we have bandwidth currently and we don't use it ourselves, but why not in the future!
| - **Videos**: Discover visual insights through a collection of videos curated by | ||
| [GraphQL WTF](https://graphql.wtf/). Although not strictly centered around security, | ||
| understanding various facets of GraphQL enhances your capability to architect, implement, and | ||
| secure GraphQL APIs more effectively. |
There was a problem hiding this comment.
I would also link to this part on graphql.org: https://graphql.org/learn/authorization/
And in general, I think Escape could contribute a lot to the best practices section of graphql.org around security!
There was a problem hiding this comment.
Indeed, I'll present this idea, would be nice to add a security part in the official docs!
|
|
||
| But hey, let’s not stop there! **Contribute, Engage, Elevate.** That’s the open-source mantra. Your | ||
| expertise could well be the next big leap forward for GraphQL tools and platforms. Check out these | ||
| awesome [GraphQL projects](https://github.com/chentsulin/awesome-graphql) and see where your skills |
There was a problem hiding this comment.
I don't want to link to that page - better to link to graphql.org/code
awesome graphql is not well maintained and its not really ordered and there are many unmaintained resources there
There was a problem hiding this comment.
Make sense, I will add graphql.org/code & maybe https://github.com/Escape-Technologies/awesome-graphql-security ?
There was a problem hiding this comment.
I forgot this change, adding it. Tho I agree awesome graphql is not really up to date, but neither is https://graphql.org/code/ + it's really not accessible ://
Co-authored-by: Uri Goldshtein <[email protected]>
Co-authored-by: Uri Goldshtein <[email protected]>
|
Hey @Urigo thanks for this qualitative review! I applied the changes and tried to simplify some parts of the article. Let me know if anything else comes to your mind! PS: ping @AlexandraC0 fyi |
|
|
||
| 1. **Best Practices** | ||
|
|
||
| - [Automatic persisted queries](https://the-guild.dev/graphql/yoga-server/docs/features/automatic-persisted-queries) |
There was a problem hiding this comment.
I think here it suppose to be persisted queries (or in their new name "trusted queries") and not automatic persisted queries, which are actually not secure?
There was a problem hiding this comment.
Yes, you're right sorry for the confusion. Do you have any docs / tech in mind to link here, I'm not an expert of persisted queries and I don't know the references to be honest. There doesn't seem to be a standard / easy way to do it as of now?
There was a problem hiding this comment.
I would like here: https://benjie.dev/graphql/trusted-documents and here: https://the-guild.dev/graphql/yoga-server/docs/features/persisted-operations
There was a problem hiding this comment.
Updated! Sorry for the delay, I missed your reply
on it :)) |
|
Should be good, merged master and fixed the CI (by shortening the description under 160 chars) |
No description provided.