The focus with GraphQL is more on how data is queried and less on how resources are modeled.
To start with, a GraphQL query could map to many different resolving functions, any of which could fail. As a result, a response could be partially successful and partially failed at the same time.
This vulnerability exists with other servers as well, but in the case of a GraphQL server, your API schema may expose potentially complex and expensive query patterns that could bring down your system easily.
The Ultimate Guide to handling JWTs on frontend clients (GraphQL)
— Read on blog.hasura.io/best-practices-of-using-jwt-with-graphql/
So far, this is the best article I have read that explains and answers questions on JWT (both server and client.)
That’s why it’s also really important not to store JWT on the client, say via cookies or localstorage. Doing so you make your app vulnerable to CSRF & XSS attacks, by malicious forms or scripts to use or steal your token lying around in cookies or localstorage.
So memory only? For cookies, with HttpOnly and Secure, there should be no concern about XSS or man-in-the-middle. Yes, chance of CSRF is still there. So you need anti-forgery. For example, keeping an anti-forgery token in localstorage (since value in localstorage won’t be sent automatically with each request.)
So it really depends on the balance of security vs. cost to keep it absolutely secure.
A very good point has been made in this SO thread.
This is a painful discussion on the Internet. Our short (and opinionated answer) is that backend developers like using JWTs because a) microservices b) not needing a centralized token database.
Indeed yes, the two most important benefits.
This token is issued as part of authentication process along with the JWT. The auth server should saves this refresh token and associates it to a particular user in its own database, so that it can handle the renewing JWT logic.
The refresh token is sent by the auth server to the client as an HttpOnly cookie and is automatically sent by the browser in a /refresh_token API call.
Persisting JWT token in localstorage (prone to XSS) < Persisting JWT token in an HttpOnly cookie (prone to CSRF, a little bit better for XSS) < Persisting refresh token in an HttpOnly cookie (safe from CSRF, a little bit better for XSS).
https://about.gitlab.com/2019/08/27/tyranny-of-the-clock/
The first step is to look for critical filters to dramatically reduce the area to troubleshoot. Such as type of logs, which server, etc.
Wireshark statistics tools could be super helpful.
If usage pattern aligns with some timing cadence, think scheduled jobs.
If the incoming rate exceeds the limit (measured every millisecond) the new connections are simply delayed. The TCP client (SSH in this case) simply sees a delay before the TCP connection is established, which is delightfully graceful, in my opinion.
Why? Rate limiting should be used for defensive needs, where it prevents from handling the unexpected requests. But in this case, those requests are expected and expect to be processed.
When you choose specific non-default settings, leave a comment or link to documentation/issues as to why, future people will thank you.
That applies to all things non-default, such as “magic numbers,” workarounds, tricks, possible valid values, etc.
https://alligator.io/nodejs/compression/
This is a must-have. Wondering why not included by default (and provide opt-out/disable if not needed.)
I have been owning a domain and an LLC with the same name.
Squarespace was my choice since I was about put in more than just a placeholder. $144/year was not bad considering the time it saves me given the features, designs, and flexibility it provides.
However, it ends up a nice looking one-pager is all I need for now. The yearly renewal is around the corner. I decided to move it to Github Page, which is totally free.
Here are the steps:
Weiran's Recycle Bin 