back to blog
GuideAPI Security

5 Things Wrong With Most GraphQL APIs

valkant/February 2026

GraphQL is everywhere now. It solved real problems with REST, but it introduced a whole new category of security mistakes that most teams never think about. Here are the five issues we see on almost every GraphQL API we test.

1. Introspection is enabled in production

Introspection lets anyone query the full schema. Every type, every field, every mutation, every argument. It is the equivalent of handing an attacker your complete API documentation. Most GraphQL frameworks enable it by default. Most teams forget to disable it before deploying to production.

2. No query depth limits

GraphQL allows nested queries. If your schema has circular relationships, an attacker can construct a query that nests dozens of levels deep, consuming exponential server resources. Without depth limits, a single request can bring down your API.

3. Batching without rate limits

Many GraphQL implementations accept arrays of queries in a single HTTP request. This allows an attacker to send thousands of operations in one request, bypassing per-request rate limiting entirely. We found exactly this issue at DoorDash, where the lack of rate limiting on batched operations allowed enumeration of order records across the entire platform.

4. Verbose error messages

GraphQL errors are often extremely detailed. Stack traces, database field names, internal service URLs, and type information all leak through error responses. These errors are invaluable for an attacker mapping the backend. In production, errors should return a generic message and log the details server-side.

5. Missing field-level authorization

REST APIs enforce authorization per endpoint. GraphQL exposes a single endpoint where clients select which fields to return. If authorization is only checked at the query level and not at the field level, users can request fields they should not have access to. A regular user querying an admin-only field on a shared type is a common pattern that leads to data exposure.

If you are building a GraphQL API, audit these five areas before you ship. If you are testing one, these are your first five checks. Most APIs will fail at least two of them.