Integración de graphql y seguridad zero trust en el diseño de apis

Abstract

This research focuses on the design of GraphQL APIs and how to implement the Zero Trust model within them. Therefore, the main objective is to propose the integration of the Zero Trust model into the GraphQL API in such a way that the API's performance and response speed are not affected, while also improving security, respecting the principle that indicates that threats can be inside and/or outside the network, applying rigorous verification during each access or query to GraphQL. The main advantages of GraphQL are its flexibility and efficiency when obtaining information, however, these advantages also expose APIs to possible attacks and it is here, where through the application of the Zero Trust model, risks are reduced through authentication and authorization in each access, which will be controlled and verified. This work examines previously identified GraphQL APIs’ threats, such as Denial of Service (DoS) attacks, excessive data exposure (overfetching), GraphQL injection, and others. Additionally, it analyzes the security enhancements provided by the Zero Trust model and how its advantages can make GraphQL API security stronger. As part of this research, a proof of concept (PoC) will be developed using a GraphQL API based on Zero Trust model and its principles. This PoC will be used to conduct security and performance testing and evaluations. This research will combine the benefits of GraphQL APIs with the strengths of the Zero Trust model to obtain a robust API in terms of security, thus serving as a reference base for the design and development of future projects, where developers and administrators can benefit from its strengths and security and performance optimizations.