Skip to content

Commit

Permalink
Small edits on the trusted documents page (#10745)
Browse files Browse the repository at this point in the history 
Super happy that you're making trusted documents so easy to use! Whilst
reviewing the text I spotted a few typos and awkward sentences so here
are some minor edits ❤️

Line 7 you should review carefully, I've significantly changed the
meaning of the sentence, so if I'm mistaken please correct me.

Co-authored-by: David Thyresson <dthyresson@gmail.com>
  • Loading branch information
@benjie @dthyresson
benjie and dthyresson authored Jun 18, 2024
1 parent 8b48cf3 commit c66fdf7
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions docs/docs/graphql/trusted-documents.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ RedwoodJS can be setup to enforce [persisted operations](https://the-guild.dev/g

Use trusted documents if your GraphQL API is only for your own app (which is the case for most GraphQL APIs) for a massively decreased attack-surface, increased performance, and decreased bandwidth usage.

At app build time, Redwood will extract the GraphQL documents (queries, etc) and make them available to the server. At run time, you can then send "document id" or "hash" instead of the whole document; only accept requests with a known document id.
At app build time, Redwood will extract the GraphQL documents (queries, etc) and make them available to the server. At run time, you must then send "document id" or "hash" instead of the whole document as the server will only accept requests with a known document id.

This prevents malicious attackers from executing arbitrary GraphQL thus helping with unwanted resolver traversal or information leaking.

Expand Down Expand Up @@ -84,9 +84,9 @@ See how the `76308e971322b1ece4cdff75185bb61d7139e343` hash ids match?

Now, when the client requests to make a query for `76308e971322b1ece4cdff75185bb61d7139e343`, the GraphQL server knows to execute the corresponding query associated with that hash.

This means that because queries are pre-generated and the hash ids ***must match**, there is no way for any un-trusted or ad-hock queries to get executed by the GraphQL server.
This means that because queries are pre-generated and the hash ids **must match**, there is no way for any un-trusted or ad-hoc queries to get executed by the GraphQL server.

Thus preventing unwanted queries or GraphQl traversal attacks,
Thus preventing unwanted queries or GraphQL traversal attacks,

* Configure RedwoodJS to use Trusted Documents via `redwood.toml`
* Configure the GraphQL Server
Expand Down

0 comments on commit c66fdf7

Please sign in to comment.