A practical checklist for reviewing GraphQL authorization, resolver-level access control, mutation abuse, object ownership, introspection exposure, query complexity, and cross-tenant data leakage risks.
GraphQL Security Review Areas
Use these checks to review high-risk GraphQL behavior before exposing a new schema, launching customer-facing APIs, adding mutations, or changing your authorization model.
Schema and Introspection Exposure
- Check whether introspection is enabled in production
- Review exposed types, queries, mutations, enums, and input objects
- Identify sensitive fields exposed through the schema
- Confirm internal-only operations are not available to external users
- Review whether schema visibility differs correctly between roles and tenants
Authentication Controls
- Confirm GraphQL endpoints require authentication where needed
- Test missing, expired, malformed, and reused tokens
- Verify session invalidation after logout, password change, and account removal
- Check whether anonymous users can query sensitive schema areas
- Review authentication behavior across web, mobile, and internal GraphQL clients
Resolver-Level Authorization
- Confirm every resolver enforces authorization server-side
- Test whether nested fields bypass parent-level authorization
- Verify field-level access control for sensitive user, billing, admin, and tenant data
- Check whether hidden frontend fields can still be queried directly
- Confirm authorization is enforced consistently across queries, mutations, and nested relationships
Object-Level Access Control
- Test IDOR/BOLA by changing object IDs in GraphQL variables
- Verify users cannot query another tenant’s records
- Test projects, files, reports, invoices, exports, users, teams, comments, and billing objects
- Check whether global IDs, base64 IDs, UUIDs, or numeric IDs can be swapped
- Confirm object ownership validation happens before returning node data
Mutation Authorization
- Test create, update, delete, invite, export, and billing mutations with lower-privileged users
- Modify role, tenant, organization, user, team, and object IDs in mutation variables
- Check whether users can assign themselves higher privileges
- Verify invite mutations cannot add users to unauthorized tenants
- Confirm destructive mutations require both role permission and object ownership
Query Abuse and Complexity
- Test deeply nested queries for excessive resource usage
- Check whether query depth limits are enforced
- Review query cost, pagination, and complexity controls
- Test large limits, repeated nested edges, and expensive relationship queries
- Confirm high-cost queries cannot be abused for denial-of-service behavior
Aliases, Fragments, and Batching
- Test aliases to repeat expensive or sensitive operations in one request
- Use fragments to request sensitive fields through alternate query shapes
- Check batched GraphQL requests for inconsistent authorization behavior
- Verify rate limits apply to operation count, not only HTTP request count
- Confirm authorization failures in one operation do not leak data through another operation
Sensitive Data Exposure
- Review GraphQL responses for unnecessary fields
- Check exposure of emails, roles, invite status, internal IDs, billing data, tokens, metadata, and configuration values
- Test nested relationships for unexpected sensitive data leakage
- Review error responses for stack traces, resolver names, database details, or internal paths
- Confirm deleted, inactive, archived, or soft-deleted records are not still queryable
Tenant Isolation
- Confirm tenant boundaries are enforced in queries and mutations
- Test organization, workspace, account, company, and team identifiers
- Check search, filters, dashboards, exports, reports, and analytics queries for cross-tenant leakage
- Verify background jobs, notifications, and integrations do not expose another tenant’s GraphQL data
- Confirm tenant isolation applies across nested relationships and resolver chains
Subscriptions, Uploads, and Integrations
- Review GraphQL subscriptions for unauthorized event leakage
- Confirm users only receive real-time events for their own tenant and objects
- Test file upload mutations for authorization and ownership checks
- Review webhook, integration, and third-party connector mutations
- Confirm integration tokens and connected account data are not exposed through GraphQL
Logging, Retesting, and Remediation
- Log failed GraphQL authorization attempts
- Alert on repeated object-ID probing and cross-tenant access attempts
- Retest fixes across queries, mutations, fragments, aliases, batching, and nested fields
- Verify fixes cannot be bypassed through mobile APIs, legacy endpoints, or alternate GraphQL operations
- Document evidence, impact, affected roles, affected resolvers, reproduction steps, and remediation guidance
GraphQL Authorization Flow
Strong GraphQL security requires authorization at the resolver, object, field, and mutation level. A valid session should never automatically mean access to every reachable node in the schema.
Common GraphQL Security Mistakes
Introspection exposed in production
Review this behavior across roles, tenants, resolvers, and operation types.
Resolver authorization gaps
Review this behavior across roles, tenants, resolvers, and operation types.
Missing object ownership checks
Review this behavior across roles, tenants, resolvers, and operation types.
Overly broad nested responses
Review this behavior across roles, tenants, resolvers, and operation types.
Mutation-level privilege escalation
Review this behavior across roles, tenants, resolvers, and operation types.
Unsafe invite and role mutations
Review this behavior across roles, tenants, resolvers, and operation types.
Query depth and batching abuse
Review this behavior across roles, tenants, resolvers, and operation types.
Sensitive data leakage through fragments or aliases
Review this behavior across roles, tenants, resolvers, and operation types.
Cross-tenant records exposed through global IDs
Review this behavior across roles, tenants, resolvers, and operation types.
Verbose GraphQL error messages
Review this behavior across roles, tenants, resolvers, and operation types.
When to Request a Manual GraphQL Review
Automated scanners often miss GraphQL weaknesses because authorization depends on schema shape, resolver behavior, nested relationships, operation type, tenant context, and business rules.
- Resolver-level authorization gaps
- GraphQL IDOR/BOLA
- Mutation authorization flaws
- Cross-tenant data exposure
- Nested object leakage
- Role escalation through mutation variables
- Alias, fragment, and batching bypasses
- Business logic abuse in GraphQL workflows
Need a Manual GraphQL Security Review?
The Hidden Finds helps SaaS teams identify GraphQL authorization flaws, resolver-level access control gaps, mutation abuse paths, tenant isolation weaknesses, and sensitive data exposure that automated tools often miss.