Preparation
There are several configuration changes you’ll definitely want to consider carefully before deploying your API:
- Run the server with the
NODE_ENV=productionenvironment variable. This does several things: - Introspection: By default the introspection query is enabled for your server. In production we turn it off. You can re-enable it for production with
apolloServerOptions: { introspection: true }in the Graphweaver constructor, but you shouldn’t need to, and doing so presents a security risk. - Playground: By default the Apollo playground is enabled for your API. All it lets you do is send queries and mutations as you are able to anyway, so there’s no security implication for leaving it on, but we turn it off in production to be sure.
- Consider your usage of AdminUI.
- If you are not using the AdminUI, there’s no reason to leave the
_graphweaverquery around for people to use like an introspection endpoint. Disable it by passingadminMetadata: { enabled: false }to the Graphweaver constructor insrc/backend/index.ts - Consider GraphQL Armor’s options
- Graphweaver uses GraphQL Armor to help protect your server. There are many sane defaults there, but make sure the configuration suits your unique circumstances. Configure GraphQL Armor with
- If you’re using Federation, consider your usage of Federation Tracing
- Federation Tracing is a security risk if your server is accessible from the internet. To disable federation tracing, pass the
enableFederationTracing: falseoption to the Graphweaver constructor insrc/backend/index.ts. - Consider CORS
- Depending on what URL the server is on vs the clients, you may need to configure CORS. Options are available under
corsOptionsin the Graphweaver constructor insrc/backend/index.ts.
How Builds Work
When you are ready to deploy your Graphweaver App it is important to understand how Graphweaver builds the distribution files and how these can be deployed.
When you run the graphweaver build command a dist directory will be created in the root of the project.
This directory contains two more directories:
admin-ui- This directory contains the front end code used by the AdminUI. This code consists of a single html file and a bundle of assets. This folder can be hosted on any static web server, an S3 bucket, Netlify, PHP shared web hosting, etc. Anywhere that can host a static website.backend- This directory contains the backend code and is a single bundled index.js file. This file contains the entire server and there is no need to install anynode_modulesto run it as they are already bundled. To run this file you only need to runnode index.js.
Once the build is complete you can either write deployment scripts yourself to deploy the files or you can use one of our deployment guides: