diff --git a/docs/4.10/api-protection/graphql-rule.md b/docs/4.10/api-protection/graphql-rule.md index dca20a7691..acaaba7cab 100644 --- a/docs/4.10/api-protection/graphql-rule.md +++ b/docs/4.10/api-protection/graphql-rule.md @@ -1,3 +1,5 @@ +[api-discovery-enable-link]: ../api-discovery/setup.md#enable + # GraphQL API Protection Wallarm detects regular attacks (SQLi, RCE, [etc.](../attacks-vulns-list.md)) in GraphQL by default even under the basic [WAAP](../about-wallarm/subscription-plans.md#waap-and-advanced-api-security) subscription plan. However, some aspects of the protocol allow implementing [GraphQL specific](../attacks-vulns-list.md#graphql-attacks) attacks related to excessive information exposure and DoS. This document describes how to use Wallarm to protect your APIs from these attacks by setting **GraphQL policy** - a set of limits for the GraphQL requests. @@ -17,9 +19,12 @@ Wallarm supports both POST and GET HTTP methods for GraphQL requests. ## Creating and applying the rule +GraphQL rule is recommended to be created for the GraphQL specific endpoints. Creating it as a [default](../user-guides/rules/rules.md#default-rules) rule for the entire system is not recommended. + To set and apply GraphQL policy: -1. Proceed to Wallarm Console → **Rules** → **Add rule**. +--8<-- "../include/rule-creation-initial-step.md" +1. Choose **Mitigation controls** → **GraphQL API protection**. 1. In **If request is**, [describe](../user-guides/rules/rules.md#rule-branches) endpoint URI to apply the rule to and other conditions: * URI of your GraphQL endpoint (in the route, usually contains `/graphql`) @@ -28,7 +33,7 @@ To set and apply GraphQL policy: Note that you can set when the rule must be applied using different condition combinations, for example, you can use URI and leave other conditions unspecified or set `CONTENT-TYPE` header to `application/graphql` without specifying any endpoint. You can also create several rules with different conditions and set different limits and reactions in them. -1. In **Then**, choose **Detect GraphQL attacks** and set thresholds for GraphQL requests in accordance with your traffic metrics (if left empty/unselected, no limitation is applied by this criteria): +1. Set thresholds for GraphQL requests in accordance with your traffic metrics (if left empty/unselected, no limitation is applied by this criteria): * **Maximum total query size in kilobytes** - sets the upper limit for the size of an entire GraphQL query. It's crucial for preventing Denial of Service (DoS) attacks that exploit server resources by submitting excessively large queries. * **Maximum value size in kilobytes** - sets the maximum size for any individual value (whether a variable or query parameter) within a GraphQL query. This limit helps mitigate attacks that attempt to overwhelm the server through Excessive Value Length, where attackers send requests with overly long string values for variables or arguments. @@ -42,6 +47,8 @@ To set and apply GraphQL policy: ![GraphQL thresholds](../images/user-guides/rules/graphql-rule.png) +Once created, the rule may be at any moment temporarily disabled and later re-enabled again using the **Mode** parameter of the rule. + ## Reaction to policy violation Reaction to the policy violation is defined by the [filtration mode](../admin-en/configure-wallarm-mode.md) applied to the endpoints targeted by the rule. @@ -58,8 +65,6 @@ You can explore GraphQL policy violations (GraphQL attacks) in Wallarm Console ![GraphQL attacks](../images/user-guides/rules/graphql-attacks.png) - \ No newline at end of file diff --git a/docs/latest/api-protection/graphql-rule.md b/docs/latest/api-protection/graphql-rule.md index ab85b6aa18..e12b91f3fa 100644 --- a/docs/latest/api-protection/graphql-rule.md +++ b/docs/latest/api-protection/graphql-rule.md @@ -19,6 +19,8 @@ Wallarm supports both POST and GET HTTP methods for GraphQL requests. ## Creating and applying the rule +GraphQL rule is recommended to be created for the GraphQL specific endpoints. Creating it as a [default](../user-guides/rules/rules.md#default-rules) rule for the entire system is not recommended. + To set and apply GraphQL policy: --8<-- "../include/rule-creation-initial-step.md" @@ -45,7 +47,8 @@ To set and apply GraphQL policy: ![GraphQL thresholds](../images/user-guides/rules/graphql-rule.png) - +Consider that you node configuration via the [`wallarm_mode_allow_override` directive](../admin-en/configure-wallarm-mode.md#prioritization-of-methods) may be set to ignore rules created in Wallarm Console. If this is a case, [explore](../admin-en/configure-wallarm-mode.md#configuration-methods) and use other ways to change the filtration mode. ## Exploring GraphQL attacks @@ -62,8 +65,6 @@ You can explore GraphQL policy violations (GraphQL attacks) in Wallarm Console ![GraphQL attacks](../images/user-guides/rules/graphql-attacks.png) - \ No newline at end of file diff --git a/images/user-guides/rules/graphql-rule-1-action.png b/images/user-guides/rules/graphql-rule-1-action.png index 02bc5e6dfb..0b3f4a36d5 100644 Binary files a/images/user-guides/rules/graphql-rule-1-action.png and b/images/user-guides/rules/graphql-rule-1-action.png differ diff --git a/images/user-guides/rules/graphql-rule-1.png b/images/user-guides/rules/graphql-rule-1.png index dae41510da..c8002fa4d3 100644 Binary files a/images/user-guides/rules/graphql-rule-1.png and b/images/user-guides/rules/graphql-rule-1.png differ diff --git a/images/user-guides/rules/graphql-rule-2-action.png b/images/user-guides/rules/graphql-rule-2-action.png index 6798d5cf42..44e85e5f4d 100644 Binary files a/images/user-guides/rules/graphql-rule-2-action.png and b/images/user-guides/rules/graphql-rule-2-action.png differ diff --git a/images/user-guides/rules/graphql-rule-2.png b/images/user-guides/rules/graphql-rule-2.png index 5bff4e7b3d..35a681bbe7 100644 Binary files a/images/user-guides/rules/graphql-rule-2.png and b/images/user-guides/rules/graphql-rule-2.png differ