GraphQL is an open-source data query and manipulation language for APIs, and a runtime for fulfilling queries with existing data. It was internally developed by Facebook in 2012 and is now a part of the Linux Foundation. GraphQL is a new API technology that is gaining traction in the market and, like any other API, there are attack vectors to exploit it. Starting with Advanced WAF v16.1, F5 now natively supports security for GraphQL APIs.

Protecting your applications against the OWASP Top 10 is not new; in fact, many organizations have been taking this approach for quite some time. The challenge is that most implementations that claim to "protect" against the OWASP Top 10 rely solely on signature-based protection for only a small subset of the list and provide zero insight into your compliance status.

The lab we will be discussing today demonstrates how to use the NGINX Controller API Management Module and NGINX App Protect to secure the OAuth Authorization Code flow, which is core to the Open Banking specifications.