⚠ Simulated · no real WAF

/graphql — Cloudflare API Shield Demo Endpoint

This endpoint simulates Cloudflare API Shield's GraphQL malicious query protection. POST a GraphQL query as JSON and the endpoint will parse it, measure size + depth, and either return a normal response or a simulated 403 block.

Why simulated here? Real API Shield rules only run on Cloudflare zones with API Shield enabled. This URL is on workers.dev — there's no Cloudflare WAF in front of it. The Worker parses your query the same way and returns the same shape of block response, so curl scripts, screenshots, and live demos behave identically.

Want the real thing? The same endpoint runs behind a real Cloudflare WAF rule at graphql.tarheel.us/graphql — Enterprise zone, API Shield enabled, actual Security Events. Use that one if you want to see the WAF block at the edge.

Thresholds (matching the documented example rule)

(cf.api_gateway.graphql.query_size  > 30
 and cf.api_gateway.graphql.query_depth > 7
 and cf.api_gateway.graphql.parsed_successfully)  →  Block

For demo clarity, this endpoint also blocks when either limit alone is exceeded, so you can show size-only and depth-only attacks separately.

Try it

Benign: 200 OK

curl -X POST https://cf-demo-app.dustinburke23nc.workers.dev/graphql \
  -H 'Content-Type: application/json' \
  -d '{"query":"{ user(id: \"42\") { id name } }"}'

Deeply-nested: 403 Blocked (simulated)

curl -X POST https://cf-demo-app.dustinburke23nc.workers.dev/graphql \
  -H 'Content-Type: application/json' \
  -d '{"query":"{ a { b { c { d { e { f { g { h { i { j } } } } } } } } } }"}'

Full demo script

See scripts/graphql-attack.sh in cf-demo-app for a 4-payload walkthrough (benign / oversized / deeply-nested / both).

Docs

Cloudflare API Shield — GraphQL malicious query protection

← Back to demo dashboard