GraphQL over-fetching and query complexity limits

GraphQL API allows arbitrarily deep and complex queries. A malicious or careless client can send deeply nested queries that crash the server or exhaust database connections.

(1) Set query depth limit: graphql-depth-limit middleware, limit to 5-10 levels. (2) Set query complexity scoring: assign costs to fields (list fields cost more), reject queries exceeding threshold. (3) Set timeout on query execution. (4) Use persisted queries: clients send a query hash instead of the full query — server only accepts pre-approved queries. (5) Pagination: always require first/last arguments on list fields, never return unbounded lists. (6) Rate limit by query complexity, not just request count.

REST APIs have natural limits (fixed endpoints, fixed response shapes). GraphQL gives clients full control over response shape, which means the server must enforce limits explicitly.