GraphQL Security Checklist
GraphQL Security Checklist for SaaS Teams

A practical checklist for reviewing GraphQL authorization, resolver-level access control, mutation abuse, object ownership, introspection exposure, query complexity, and cross-tenant data leakage risks.

Checklist

GraphQL Security Review Areas

Use these checks to review high-risk GraphQL behavior before exposing a new schema, launching customer-facing APIs, adding mutations, or changing your authorization model.

Schema and Introspection Exposure

  • Check whether introspection is enabled in production
  • Review exposed types, queries, mutations, enums, and input objects
  • Identify sensitive fields exposed through the schema
  • Confirm internal-only operations are not available to external users
  • Review whether schema visibility differs correctly between roles and tenants

Authentication Controls

  • Confirm GraphQL endpoints require authentication where needed
  • Test missing, expired, malformed, and reused tokens
  • Verify session invalidation after logout, password change, and account removal
  • Check whether anonymous users can query sensitive schema areas
  • Review authentication behavior across web, mobile, and internal GraphQL clients

Resolver-Level Authorization

  • Confirm every resolver enforces authorization server-side
  • Test whether nested fields bypass parent-level authorization
  • Verify field-level access control for sensitive user, billing, admin, and tenant data
  • Check whether hidden frontend fields can still be queried directly
  • Confirm authorization is enforced consistently across queries, mutations, and nested relationships

Object-Level Access Control

  • Test IDOR/BOLA by changing object IDs in GraphQL variables
  • Verify users cannot query another tenant’s records
  • Test projects, files, reports, invoices, exports, users, teams, comments, and billing objects
  • Check whether global IDs, base64 IDs, UUIDs, or numeric IDs can be swapped
  • Confirm object ownership validation happens before returning node data

Mutation Authorization

  • Test create, update, delete, invite, export, and billing mutations with lower-privileged users
  • Modify role, tenant, organization, user, team, and object IDs in mutation variables
  • Check whether users can assign themselves higher privileges
  • Verify invite mutations cannot add users to unauthorized tenants
  • Confirm destructive mutations require both role permission and object ownership

Query Abuse and Complexity

  • Test deeply nested queries for excessive resource usage
  • Check whether query depth limits are enforced
  • Review query cost, pagination, and complexity controls
  • Test large limits, repeated nested edges, and expensive relationship queries
  • Confirm high-cost queries cannot be abused for denial-of-service behavior

Aliases, Fragments, and Batching

  • Test aliases to repeat expensive or sensitive operations in one request
  • Use fragments to request sensitive fields through alternate query shapes
  • Check batched GraphQL requests for inconsistent authorization behavior
  • Verify rate limits apply to operation count, not only HTTP request count
  • Confirm authorization failures in one operation do not leak data through another operation

Sensitive Data Exposure

  • Review GraphQL responses for unnecessary fields
  • Check exposure of emails, roles, invite status, internal IDs, billing data, tokens, metadata, and configuration values
  • Test nested relationships for unexpected sensitive data leakage
  • Review error responses for stack traces, resolver names, database details, or internal paths
  • Confirm deleted, inactive, archived, or soft-deleted records are not still queryable

Tenant Isolation

  • Confirm tenant boundaries are enforced in queries and mutations
  • Test organization, workspace, account, company, and team identifiers
  • Check search, filters, dashboards, exports, reports, and analytics queries for cross-tenant leakage
  • Verify background jobs, notifications, and integrations do not expose another tenant’s GraphQL data
  • Confirm tenant isolation applies across nested relationships and resolver chains

Subscriptions, Uploads, and Integrations

  • Review GraphQL subscriptions for unauthorized event leakage
  • Confirm users only receive real-time events for their own tenant and objects
  • Test file upload mutations for authorization and ownership checks
  • Review webhook, integration, and third-party connector mutations
  • Confirm integration tokens and connected account data are not exposed through GraphQL

Logging, Retesting, and Remediation

  • Log failed GraphQL authorization attempts
  • Alert on repeated object-ID probing and cross-tenant access attempts
  • Retest fixes across queries, mutations, fragments, aliases, batching, and nested fields
  • Verify fixes cannot be bypassed through mobile APIs, legacy endpoints, or alternate GraphQL operations
  • Document evidence, impact, affected roles, affected resolvers, reproduction steps, and remediation guidance
Authorization Flow

GraphQL Authorization Flow

Operation ReceivedAuthenticate UserResolve TenantCheck Object OwnershipCheck Field or Mutation PermissionReturn Data or Deny

Strong GraphQL security requires authorization at the resolver, object, field, and mutation level. A valid session should never automatically mean access to every reachable node in the schema.

Common Mistakes

Common GraphQL Security Mistakes

Introspection exposed in production

Review this behavior across roles, tenants, resolvers, and operation types.

Resolver authorization gaps

Review this behavior across roles, tenants, resolvers, and operation types.

Missing object ownership checks

Review this behavior across roles, tenants, resolvers, and operation types.

Overly broad nested responses

Review this behavior across roles, tenants, resolvers, and operation types.

Mutation-level privilege escalation

Review this behavior across roles, tenants, resolvers, and operation types.

Unsafe invite and role mutations

Review this behavior across roles, tenants, resolvers, and operation types.

Query depth and batching abuse

Review this behavior across roles, tenants, resolvers, and operation types.

Sensitive data leakage through fragments or aliases

Review this behavior across roles, tenants, resolvers, and operation types.

Cross-tenant records exposed through global IDs

Review this behavior across roles, tenants, resolvers, and operation types.

Verbose GraphQL error messages

Review this behavior across roles, tenants, resolvers, and operation types.

Manual Review

When to Request a Manual GraphQL Review

Automated scanners often miss GraphQL weaknesses because authorization depends on schema shape, resolver behavior, nested relationships, operation type, tenant context, and business rules.

  • Resolver-level authorization gaps
  • GraphQL IDOR/BOLA
  • Mutation authorization flaws
  • Cross-tenant data exposure
  • Nested object leakage
  • Role escalation through mutation variables
  • Alias, fragment, and batching bypasses
  • Business logic abuse in GraphQL workflows
Next Step

Need a Manual GraphQL Security Review?

The Hidden Finds helps SaaS teams identify GraphQL authorization flaws, resolver-level access control gaps, mutation abuse paths, tenant isolation weaknesses, and sensitive data exposure that automated tools often miss.