Q12 of 20 · GraphQL

What are query depth and complexity limits, and why test them?

GraphQLSeniorgraphqlsecurityperformancesenior

Short answer

Short answer: Because clients build their own queries, a malicious or careless client can request deeply nested or hugely expensive queries that overload the server. Production GraphQL APIs limit query depth and complexity — test that abusive queries are rejected and legitimate ones aren't.

Detail

GraphQL's flexibility is also a denial-of-service surface. A client can write:

query {
  user { friends { friends { friends { friends { ... } } } } }
}

Each level multiplies the work. Without limits, one request can exhaust the server. Hardened GraphQL APIs apply:

  • Depth limiting — reject queries nested beyond N levels.
  • Complexity/cost analysis — assign each field a cost and reject queries above a budget.
  • Rate limiting / pagination caps — bound first: 100000 style requests.

What to test:

  1. Negative: send an over-deep or over-complex query and assert it's rejected (with an appropriate error/code), not executed.
  2. Boundary: a query at the documented limit succeeds; one step over fails.
  3. Positive: ensure legitimate, reasonably-nested queries aren't caught by an over-aggressive limit (a false-positive that breaks real clients).

This sits at the intersection of security and performance testing and is often missed entirely.

// WHAT INTERVIEWERS LOOK FOR

Recognising client-built queries as a DoS surface, and testing both that abusive queries are blocked and legitimate ones aren't.

// Related questions

What is the N+1 problem in GraphQL, and how would you test for it?

GraphQL