Preparation

There are several configuration changes you’ll definitely want to consider carefully before deploying your API:

• Run the server with the NODE_ENV=production environment variable. This does several things:

  • Introspection: By default the introspection query is enabled for your server. In production we turn it off. You can re-enable it for production with apolloServerOptions: { introspection: true } in the Graphweaver constructor, but you shouldn’t need to, and doing so presents a security risk.
  • Playground: By default the Apollo playground is enabled for your API. All it lets you do is send queries and mutations as you are able to anyway, so there’s no security implication for leaving it on, but we turn it off in production to be sure.

• Consider your usage of AdminUI.

  • If you are not using the AdminUI, there’s no reason to leave the _graphweaver query around for people to use like an introspection endpoint. Disable it by passing adminMetadata: { enabled: false } to the Graphweaver constructor in src/backend/index.ts

• Consider GraphQL Armor’s options

  • Graphweaver uses GraphQL Armor to help protect your server. There are many sane defaults there, but make sure the configuration suits your unique circumstances. Configure GraphQL Armor with the graphqlArmorOptions key in the Graphweaver constructor, for example:

  export const graphweaver = new Graphweaver({
    // Other options
    graphQLArmorOptions: {
  		blockFieldSuggestion: { mask: '&&&&&&&&&' },
  	},
  });
  

• If you’re using Federation, consider your usage of Federation Tracing

  • Federation Tracing is a security risk if your server is accessible from the internet. To disable federation tracing, pass the enableFederationTracing: false option to the Graphweaver constructor in src/backend/index.ts.

• Consider CORS

  • Depending on what URL the server is on vs the clients, you may need to configure CORS. Options are available under corsOptions in the Graphweaver constructor in src/backend/index.ts.

How Builds Work

When you are ready to deploy your Graphweaver App it is important to understand how Graphweaver builds the distribution files and how these can be deployed.

When you run the graphweaver build command a dist directory will be created in the root of the project.

This directory contains two more directories:

• admin-ui - This directory contains the front end code used by the AdminUI. This code consists of a single html file and a bundle of assets. This folder can be hosted on any static web server, an S3 bucket, Netlify, PHP shared web hosting, etc. Anywhere that can host a static website.
• backend - This directory contains the backend code and is a single bundled index.js file. This file contains the entire server and there is no need to install any node_modules to run it as they are already bundled. To run this file you only need to run node index.js.

Once the build is complete you can either write deployment scripts yourself to deploy the files or you can use one of our deployment guides:

Deployment Guides

• AWS Lambda and ECS deployments with CDK