loading table of contents...

Headless Server Developer Manual / Version 2310

Table Of Contents

3.5 Security

Depending on the frontend approach, the Headless Server may be fully or partially exposed to public access. Therefore, the Headless Server needs an effective protection.

GraphQL offers a self-descriptive approach to deliver data to client applications. This makes it easy to any client to use and visualize this data in any way, without the need to have an exact knowledge about the underlying data model, thus reducing the need for support. On the other hand, clients may request as much data as they wish, creating potentially high load on the server.



Because of the database character of any GraphQL endpoint, the publicly accessible content items should never contain any confidential data, like access credentials or user data.

Protecting the Headless Server can be realized by two general approaches:

  • Externally, before the Headless Server is actually invoked, by using hardware (load balancers, firewalls), a web server (gateway) or a so-called backend-for-frontend approach.
  • On the application layer of the Headless Server by means of configuration.

The external approach is usually very efficient. You may enforce certain access restrictions by employing some kind of authorization and/or authentication or define IP access restrictions. However, this approach implies, that the clients are in some kind 'known' by the server. If you want to allow accessing data by any client, this approach is hard to enforce.

Whenever it is not possible or not desirable to restrict access to known clients, you might use the application layer approach.

The Headless Server offers these options to employ security measures:

All the above measures may be used to protect the server from expensive queries or malicious attacks.



In order to provide a certain amount of protection by default, the size of a search result is limited to 200 hits and the maximum query depth is set to 30. Especially on protected preview servers, these limits are possibly not desirable, while developing or testing GraphQL queries and therefore should be reconfigured to suite your needs.

Search Results

Table Of Contents

Your Internet Explorer is no longer supported.

Please use Mozilla Firefox, Google Chrome, or Microsoft Edge.