Data validation

Inadequate validation of input and output is the most common security risk in an API definition. If you do not restrict what your API accepts as input, you are opening the door for attacks like SQL injections and buffer overflow. If you do not restrict what your API can include in the responses it sends, the API may leak out information that can be used to target attacks to the possible weak spots.

For complete picture on how secure the API is, data validation is done on several levels:

• Built-in and custom scalars
• Built-in and custom directives
• Constraints for different types of directives