Akto for GraphQL gateways

What middleBrick covers

Schema composition analysis across federated subgraphs
Operation complexity and depth abuse detection
Authentication and gateway-level authorization checks
Input validation for query parameters and headers
Risk scoring with prioritized remediation guidance
CI/CD integration and continuous monitoring support

GraphQL gateway security challenges

GraphQL gateways introduce indirection through schema stitching and federation, expanding the attack surface compared to single endpoint APIs. The gateway composes multiple subgraphs, which can expose inconsistent validation and authorization rules across operations. Injection risks shift from direct database or command execution to query manipulation, resolver chaining, and depth attacks that abuse nested field resolution.

How this scanner covers GraphQL gateway concerns

middleBrick analyzes the composed GraphQL schema and runtime behavior to surface issues relevant to API gateways. It inspects operation complexity, field-level exposure, and type introspection settings. Findings map to OWASP API Top 10 categories such as Input Validation and Property Authorization, and help you prepare for controls described in SOC 2 Type II and PCI-DSS 4.0 by surfacing misconfigurations in gateway routing and schema composition.

Authentication and authorization verification

The scanner evaluates how authentication is enforced at the gateway and whether authorization rules are consistently applied across composed subgraphs. It checks for missing security schemes, malformed tokens, and improper propagation of identity context. When authenticated scanning is enabled via Bearer, API key, Basic auth, or Cookie, the domain verification gate ensures only the domain owner can submit credentials, and a restricted header allowlist preserves safe forwarding.

Limitations for GraphQL-specific logic

Business logic vulnerabilities in GraphQL resolvers, such as over-fetching that violates least-privilege or misuse of persisted queries, require domain-specific review. The scanner does not execute GraphQL queries against business workflows, does not detect blind SSRF dependent on out-of-band callbacks, and cannot replace a human pentester for high-stakes audits. It detects surface misconfigurations and exposes findings relevant to audit evidence for governance reviews.

Operational integration and monitoring

Use the CLI with middlebrick scan <url> to perform an initial assessment, or integrate the GitHub Action as a CI/CD gate that fails the build when the score drops below your chosen threshold. For continuous monitoring in Pro, scheduled rescans produce diffs across runs, highlighting new findings or resolved issues. HMAC-SHA256 signed webhooks notify systems automatically, and alerts are rate-limited to reduce noise.

Frequently Asked Questions

Does this scanner test for SQL injection via GraphQL arguments?

It does not perform active SQL injection testing, as that requires intrusive payloads outside the scanner's scope. It identifies input validation and schema-level risks that may indicate exposure.

Can it validate JWT handling across federated services?

It checks JWT configuration such as alg=none and expired tokens at the gateway. Domain verification is required for authenticated scans to ensure only the domain owner can validate token propagation.

How does the tool handle deeply nested GraphQL queries?

It inspects operation complexity and depth settings to flag overly nested queries that risk resource exhaustion. Findings align with input validation guidance but do not execute queries against resolvers.

What compliance mappings are provided for GraphQL APIs?

Findings map to OWASP API Top 10 (2023) and support audit evidence for SOC 2 Type II and PCI-DSS 4.0. Other frameworks are referenced through alignment language only.