Security That's Actually Included
Most GraphQL routers treat security as a paid add-on. We think that's backwards. HyperRoute includes comprehensive security in every deployment — free and paid.
Defense in Depth
HyperRoute protects your API at multiple layers:
| Layer | Protection | What It Stops |
|---|---|---|
| Query | Depth & complexity limits | Resource exhaustion attacks |
| Input | Injection detection | SQL, NoSQL, command injection |
| Network | Rate limiting & DDoS protection | Denial of service |
| Data | PII filtering & header allowlists | Data leakage |
Query Limits
Every query is validated against these configurable limits:
| Protection | Default | What It Prevents |
|---|---|---|
| Max Depth | 15 levels | Deeply nested query attacks |
| Max Length | 10KB | Oversized payload attacks |
| Max Complexity | 1000 | Expensive computed queries |
| Max Aliases | 50 | Alias bombing attacks |
These defaults work for most applications. Adjust them in router.yaml if needed.
Injection Detection
HyperRoute automatically scans every request for common attack patterns:
SQL Injection
'; DROP TABLE users; --
' OR '1'='1
UNION SELECT * FROM passwords
NoSQL Injection
{ "$where": "malicious code" }
{ "$regex": ".*" }
Command Injection
; rm -rf /
| cat /etc/passwd
`whoami`
Path Traversal
../../../etc/passwd
..\..\windows\system32
When detected, requests are blocked immediately and the client's reputation score decreases.
Smart Rate Limiting
Rate limits adapt to client behavior over time:
| Behavior | Effect |
|---|---|
| Consistent good requests | Limits gradually increase |
| Occasional errors | No change to limits |
| Frequent limit hits | Limits decrease |
| Malicious patterns | Near-zero access |
This means well-behaved clients get better treatment, while bad actors get progressively restricted.
Data Protection
What We Never Log
By default, HyperRoute never captures:
- Request bodies or variables
- Response data
- Authentication tokens
- User identifiers
You can enable detailed logging for debugging, but it's off by default.
Header Allowlists
Only explicitly allowed headers are forwarded to subgraphs. This prevents accidental credential leakage — a common security issue in gateway architectures.
Immutable Artifacts
Every schema snapshot includes:
- Content-addressed ID (same content = same ID)
- Cryptographic checksums
- Full audit trail
You can always verify that what's running is exactly what was deployed.
Audit Trail
Every action in HyperRoute is logged for compliance:
| Field | Example |
|---|---|
| Who | alice@company.com |
| When | 2024-12-15T14:32:00Z |
| What | schema.deployed |
| Details | users-v2.3.1 → production |
Export for Compliance
Generate audit reports for SOC 2, HIPAA, or internal reviews:
hyperroute audit export --from 2024-01-01 --to 2024-12-31 --format csv
Configuration
Most security features work out of the box. Customize in router.yaml:
security:
# Query limits
max_depth: 15
max_complexity: 1000
max_aliases: 50
# Rate limiting
rate_limit:
requests_per_second: 100
burst: 200
# Injection detection
injection_detection:
enabled: true
action: block # or "log" for monitoring mode
Security Checklist
Before going to production, verify:
- Rate limits configured for your traffic patterns
- Max depth/complexity tuned for your schema
- Injection detection enabled (it's on by default)
- Header allowlist reviewed
- Audit logging connected to your SIEM
Next Steps
- Getting Started — Set up HyperRoute in 5 minutes
- Explore Platform — Dashboards, approvals, and governance