When building GraphQL infrastructure in the enterprise, security is of the utmost importance. Direct access to subgraphs needs to be controlled or prevented outright. Request tampering or replay attacks may be a concern.
The Grafbase Gateway now provides an additional layer of security to protect against these kinds of problems: http message signatures. When enabled, this functionality will sign every outgoing subgraph request, following the RFC 9421 standard for HTTP request signing.
Subgraphs can then validate these signatures and reject any requests that didn't come directly from the gateway, or were tampered with along the way.
This is available from version 0.18.0 of the gateway, and can be enabled in the configuration:
[gateway.message_signatures]
enabled = true
key.file = "key.json"This functionality is highly configurable to ensure we meet your exact requirements. See our documentation for more details.
Your input helps us to improve, refine and evolve Grafbase. Join the conversation on Discord, where you can share your ideas and feedback directly with the Grafbase team and get involved with our Community.