GraphQL Security in Production with Automated Allow Lists

The article discusses the use of Hasura's "Allow List" feature to restrict GraphQL operations in applications. This helps prevent excessive data exposure and protect against API scraping. The "Allow List" represents a list of allowed GraphQL Operations that can be executed in an application, ensuring only specified operations are run by the Hasura GraphQL Engine. There are three ways to generate allow lists in Hasura: manually through the project settings, using the monitoring tab to select from previously executed operations, and fully automated via the GraphQL Code Generator library with a plugin that syncs the allow list with front-end code. The plugin is community-based and only works within the JavaScript ecosystem.