GraphQLShield: CWE-Aware Defense in Depth for GraphQL APIs in Go

May 7, 10:15 – 10:25

Transbay Tube

Security

Session description

GraphQL APIs face a unique threat landscape: deeply nested queries cause resource exhaustion, introspection exposes entire schemas, and mutation variables carry injection payloads past traditional WAFs. Yet most Go-based GraphQL servers ship with zero security middleware between HTTP and resolver execution. I introduce GraphQLShield, an open-source Go middleware bringing defense-in-depth to GraphQL APIs through three layers: (1) Static schema analysis detecting cyclic types, missing depth limits, and sensitive field exposure before deployment; (2) Runtime CWE-aware input sanitization catching SQL injection, XSS, command injection, path traversal, and NoSQL injection in GraphQL variables — bridging go-safeinput’s MITRE CWE Top 25 coverage to GraphQL; and (3) Resolver code auditing inspired by gosec and cryptoguard-go flagging insecure crypto, hardcoded secrets, and missing auth checks. A quick demo shows GraphQLShield intercepting 7 attack vectors against a gqlgen API, from SQL injection in mutation variables to depth-based DoS, while legitimate requests pass cleanly. Attendees leave with a zero-dependency Go library covering 14 CWE vulnerability classes across static and runtime analysis.

Session speakers

Ravi Sastry Kadali

Open Source Contributor, Go Ecosystem Contributor & Security Engineer

Ravi Sastry Kadali is a security and systems engineer with over 20 years of experience building production infrastructure across defense, enterprise, and hyperscale consumer platforms — with Go as his tool of choice. He is a contributor to the Go project itself (golang/go), with accepted patches touching the toolchain and standard library. His open-source contributions span the broader Go ecosystem — including Kubernetes, etcd, gosec, semgrep, and Aqua Security's Trivy — and he is the creator and maintainer of go-safeinput, a unified injection defense library addressing the MITRE CWE Top 25, SecurePrompt, a pre-flight AI prompt security scanner, and cryptoguard-go. His work sits at the intersection of Go static analysis, performance, and security — the same intersection that drew him to exploring LLM-assisted analyzer authoring for go fix. Ravi has built high-throughput, security-critical Go systems across some of the world's largest platforms. At Meta, he built platform integrity systems protecting 3B+ users. At Microsoft, he delivered Windows releases impacting 400M+ users. At Neustar Security Services, he developed GraphQL-based Go microservices powering DDoS mitigation for thousands of enterprise brands backed by 15+ Tbps scrubbing capacity. At X Corp, he strengthened platform security and trust infrastructure. At India's Defense R&D Organization (DRDO), he developed intrusion detection systems for national defense. Across every role, the common thread has been Go and systems-level performance in security-critical infrastructure.

Get your ticket

Join two transformative days of expert insights and innovation to shape the next decade of APIs!

Get tickets

COMMUNITYDEVELOPER EXPERIENCEAPIsTOOLS & LIBRARIESCOMMUNITYDEVELOPER EXPERIENCEAPIsTOOLS & LIBRARIES

OPEN SOURCEFEDERATIONECOSYSTEMSTRACING & OBSERVABILITYOPEN SOURCEFEDERATIONECOSYSTEMSTRACING & OBSERVABILITY

BEST PRACTICESWORKSHOPSSCHEMASSECURITYBEST PRACTICESWORKSHOPSSCHEMASSECURITY