feat: Improve Application Security #1889
Conversation
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
adintegra
changed the title
|
@wereHamster, making these changes primarily due to the BAFU's report, but also generally, to improve overall security. Do you think the added headers make sense? |
adintegra
changed the title
|
I added validation of the data source url so that we could only used urls that are whitelisted in datasourceUrl. I tried with https://www.npmjs.com/package/graphql-constraint-directive but could not make it work and it seems the directive only worked if the field was nested inside an object, which would have required a refactor of places using datasourceUrl. Instead, I used a custom scalar, which also can be used for providing additional validation rules on existing scalars (see https://www.apollographql.com/docs/apollo-server/schema/custom-scalars). |
|
Thanks @ptbrowne! Looks like this would be a good solution 👍🏼 Did you have issues with |
|
I do not know, I did not see this note either, could be. Did it work for you ? |
# Conflicts: # app/graphql/query-hooks.ts # app/graphql/resolver-types.ts # yarn.lock
adintegra
requested review from
bprusinowski and
noahonyejese
as code owners
There was a problem hiding this comment.
Thanks @adintegra, I am not 100% sure how to test the change, but overall looks good!
One maintenance thing I'd consider would be to add a CHANGELOG entry, mentioning that the security of the application has been improved 🔒
Tightening up security of the application in general: