GraphQL
GraphQL collapses N REST endpoints into 1 — one query goes out, multiple resolved field-values come back. The animation shows the outbound long-rect query chip followed by inbound chips of 3 distinct shapes (one per type class: scalars / objects / enums).
Animation
frame 0
Engineering pitfalls
N+1 query problem in resolvers
Naive GraphQL resolvers fire one SQL query per field per row. 100 rows × 5 fields = 500 queries. Always use DataLoader-style batching.
Query depth and complexity attacks
An attacker can craft a deeply nested query that costs O(N^depth) to resolve. Set max-query-depth (typically 10) and per-field cost limits.
Schema introspection leaking PII type names
GraphQL exposes the entire schema by default. Disable introspection in production or expose only to authenticated admin clients.
References
Primary sources
- GraphQL Foundation — GraphQL Specification (October 2021 working draft).
- Apollo Studio — Production-ready GraphQL Best Practices.
- Hasura Engineering — GraphQL N+1 Problem and Solutions.