GraphQL Query Depth measures the nesting level of fields requested in a GraphQL query. Analogy: it\u2019s like counting how many floors an elevator must traverse to reach the deepest room requested. Formal: maximum path length from operation root to any selected leaf in the query AST.<\/p>\n\n\n\n
GraphQL Query Depth is a metric describing how deeply nested a client\u2019s query traverses the GraphQL schema. It is not the number of fields, request size, or execution time\u2014though those can correlate. Depth evaluates structural complexity: from the root type through nested fields and sub-selections until leaf nodes or scalars.<\/p>\n\n\n\n
What it is NOT<\/p>\n\n\n\n
Key properties and constraints<\/p>\n\n\n\n
Where it fits in modern cloud\/SRE workflows<\/p>\n\n\n\n
Diagram description (text-only)<\/p>\n\n\n\n
GraphQL Query Depth is the maximum number of nested selection levels in a GraphQL operation from the root to any leaf, computed on the parsed query AST.<\/p>\n\n\n\n
ID | Term | How it differs from GraphQL Query Depth | Common confusion\n| — | — | — | — |\nT1 | Query Complexity | Complexity assigns weighted cost to fields; depth is structural level | People assume both are interchangeable\nT2 | Query Cost | Cost estimates resource usage; depth is a simple structural bound | Cost can be dynamic while depth is static\nT3 | Query Length | Length counts tokens\/characters; depth counts nesting levels | Long query can be shallow and vice versa\nT4 | Field Count | Field count high with shallow nesting; depth low | Misread field count as depth\nT5 | Resolver Latency | Latency measures execution time; depth is pre-exec metric | Deep queries often but not always slow\nT6 | Rate Limiting | Rate limiting counts requests; depth limits complexity per request | Some use depth to implement rate limits incorrectly\nT7 | Depth Limiting Policy | Policy enforces threshold; depth is the measured value | Policy design varies widely\nT8 | AST Complexity | AST complexity includes fragments and directives; depth focuses on path length | AST features can hide actual depth\nT9 | Schema Size | Schema size is static type surface; depth depends on query shape | Large schema doesn’t imply deep queries\nT10 | Federation Depth | Federation adds remote calls per field; depth doesn’t include remote call chain | Federation can amplify operational depth<\/p>\n\n\n\n
None<\/p>\n\n\n\n
Business impact<\/p>\n\n\n\n
Engineering impact<\/p>\n\n\n\n
SRE framing<\/p>\n\n\n\n
What breaks in production (realistic examples)<\/p>\n\n\n\n
1) Backend meltdown: uncontrolled deep queries cascade into many database joins causing connection pool exhaustion.\n2) API gateway degradation: CPU spike in gateway due to expensive resolver orchestration for deeply nested federated queries.\n3) Billing surprise: serverless invocations multiplied by nested remote calls lead to sudden monthly cost spikes.\n4) Client-visible timeouts: deep queries spur high tail latency, causing customers to experience timeouts and lost transactions.\n5) Security incident: attacker crafts deeply nested query to probe internal services, exposing or amplifying data leakage.<\/p>\n\n\n\n
ID | Layer\/Area | How GraphQL Query Depth appears | Typical telemetry | Common tools\n| — | — | — | — | — |\nL1 | Edge Gateway | Depth check blocks or tags requests | depth value, block count, latency | API gateway, WAF, ingress\nL2 | GraphQL Server | Depth enforcement in middleware | depth histogram, errors, exec time | server middleware, libraries\nL3 | Federation Layer | Depth across federated services | federated depth, remote call count | gateway federation orchestrator\nL4 | Service Backend | Resolver expansion monitoring | DB queries per request, call graph | APM, tracing\nL5 | Kubernetes | Admission or sidecar enforcement | pod CPU, request depth metric | sidecars, admission controllers\nL6 | Serverless | Lambda pre-checking query before cold start | invocations, duration by depth | serverless frameworks, edge functions\nL7 | CI\/CD | Static analysis gating depth for client bundles | pre-deploy violations, tests | linters, test runners\nL8 | Observability | Dashboards and alerts by depth | depth-tagged traces, logs, metrics | tracing, metrics stores, log aggregators\nL9 | Security | WAF or rule engines enforcing depth | blocked attempts, source IPs | WAF, security gateways, SIEM\nL10 | Cost Management | Cost attribution by depth buckets | cost per depth bucket | cloud billing, cost platforms<\/p>\n\n\n\n
None<\/p>\n\n\n\n
When it\u2019s necessary<\/p>\n\n\n\n
When it\u2019s optional<\/p>\n\n\n\n
When NOT to use \/ overuse it<\/p>\n\n\n\n
Decision checklist<\/p>\n\n\n\n
Maturity ladder<\/p>\n\n\n\n
Step-by-step components and workflow<\/p>\n\n\n\n
Data flow and lifecycle<\/p>\n\n\n\n
Edge cases and failure modes<\/p>\n\n\n\n
ID | Failure mode | Symptom | Likely cause | Mitigation | Observability signal\n| — | — | — | — | — | — |\nF1 | Unexpected high latency | Increased p95 latency | Deep queries causing many resolvers | Enforce depth limit; batch resolvers | latency by depth\nF2 | Spike in downstream calls | DB connection exhaustion | Nested resolvers invoking DB per child | Introduce batching or loader caching | DB calls per request\nF3 | Cost overrun on serverless | Sudden billing increase | Recursive remote calls multiplied by depth | Depth gating at edge; cost caps | cost by depth bucket\nF4 | Fragment abuse | Depth miscalculation | Complex fragments not expanded correctly | Expand fragments during analysis | mismatch between computed and actual depth\nF5 | False negatives in federation | Gateway shows low depth but services overloaded | Federated calls add extra network depth | Federated-aware cost modeling | service call counts\nF6 | Excessive blocking of clients | High rate of rejected requests | Threshold too strict for legitimate clients | Per-client thresholds and grace periods | rejection rate by client\nF7 | Observability blind spots | Missing depth tagging in traces | Instrumentation not propagating depth | Add consistent tag propagation | traces without depth tag\nF8 | Bypass via directives | Attacker uses runtime directives | @include\/@skip used to hide depth in some checks | Evaluate with variables or evaluate both branches | queries with conditional depth<\/p>\n\n\n\n
None<\/p>\n\n\n\n
Below are 40+ terms with concise definitions, why they matter, and a common pitfall.<\/p>\n\n\n\n
ID | Metric\/SLI | What it tells you | How to measure | Starting target | Gotchas\n| — | — | — | — | — | — |\nM1 | Median Depth | Typical query nesting | Compute median depth per minute | \u2264 3 for public APIs | Median can hide long tails\nM2 | Max Depth | Deepest request observed | Max over interval | Set per-app limit | Single synthetic tests can spike this\nM3 | Depth Histogram | Distribution of depths | Bucket counts per minute | Buckets 0-2-4-8-16 | Needs appropriate buckets\nM4 | Depth vs Latency p95 | Correlation between depth and tail latency | p95 latency per depth bucket | p95 within budget for key buckets | Sparse buckets noisy\nM5 | Rejection Rate by Depth | How many requests blocked by policy | Count rejects per bucket | <1% for trusted clients | Rejects may increase after deploy\nM6 | Errors by Depth | Error rate by depth bucket | 5xx count per bucket | Less than baseline | Some errors originate downstream\nM7 | Cost per Depth | Cost attribution by depth | Cloud cost mapped by trace tag | Budget per client | Attribution delayed in billing data\nM8 | Backend Calls per Request | Amplification factor by depth | Count remote calls per request | Limit per request | Instrumentation must tag calls\nM9 | DB Rows per Request | Data amplification risk | DB rows scanned per request | Threshold per service | Hard to measure in heterogeneous DBs\nM10 | Traces with Depth Tag | Observability coverage | Percent traces that include depth | 100% for sampled traces | Sampling can hide heavy queries<\/p>\n\n\n\n
None<\/p>\n\n\n\n
Below are recommended tools and their integration details.<\/p>\n\n\n\n
Executive dashboard<\/p>\n\n\n\n
On-call dashboard<\/p>\n\n\n\n
Debug dashboard<\/p>\n\n\n\n
Alerting guidance<\/p>\n\n\n\n
1) Prerequisites\n– Schema discovery and mapping of types likely to cause heavy resolver work.\n– Baseline telemetry: latency, traces, DB metrics.\n– Access control policy for gateway or server middleware.<\/p>\n\n\n\n
2) Instrumentation plan\n– Add AST depth computation into request pipeline.\n– Tag traces and metrics with depth.\n– Ensure deterministic fragment expansion during compute.<\/p>\n\n\n\n
3) Data collection\n– Emit per-request metrics: depth, latency, status, client id.\n– Aggregate into histograms and time-series DB.<\/p>\n\n\n\n
4) SLO design\n– Define SLIs: percent of requests exceeding depth threshold, p95 latency by depth.\n– Propose SLOs with conservative starting targets and error budgets.<\/p>\n\n\n\n
5) Dashboards\n– Build executive, on-call, and debug dashboards as described above.<\/p>\n\n\n\n
6) Alerts & routing\n– Configure alerts for SLO breaches, latency correlations, and rejection surges.\n– Route to API owners and platform SRE teams.<\/p>\n\n\n\n
7) Runbooks & automation\n– Provide runbooks for common depth incidents.\n– Automate mitigation: temporary throttle, per-client rollback, or partial data responses.<\/p>\n\n\n\n
8) Validation (load\/chaos\/game days)\n– Run load tests targeting depth buckets to validate autoscaling and limits.\n– Run chaos tests that simulate downstream latency with deep queries.<\/p>\n\n\n\n
9) Continuous improvement\n– Review depth telemetry weekly.\n– Iterate policies and thresholds.\n– Automate impact analysis for new schema changes.<\/p>\n\n\n\n
Checklists<\/p>\n\n\n\n
Pre-production checklist<\/p>\n\n\n\n
Production readiness checklist<\/p>\n\n\n\n
Incident checklist specific to GraphQL Query Depth<\/p>\n\n\n\n
Provide 8\u201312 use cases with brief structure.<\/p>\n\n\n\n
1) Public API protection\n– Context: Consumer-facing API with wide client base.\n– Problem: Malicious or buggy clients request very deep data causing backend overload.\n– Why depth helps: Blocks excessive structural complexity early.\n– What to measure: Rejection rate by client, latency by depth.\n– Typical tools: API gateway middleware, Prometheus.<\/p>\n\n\n\n
2) Multi-tenant SaaS isolation\n– Context: Multi-tenant service with shared datastores.\n– Problem: One tenant\u2019s deep queries hurting others.\n– Why depth helps: Enforce per-tenant budgets and throttle heavy tenants.\n– What to measure: Per-tenant depth histogram, error budget by tenant.\n– Typical tools: Tenant-aware middleware, billing integration.<\/p>\n\n\n\n
3) Federation cost control\n– Context: Federated graph combining many microservices.\n– Problem: Composite queries cause multiple remote calls.\n– Why depth helps: Estimate amplification and apply limits.\n– What to measure: Remote call counts per request, depth per federated operation.\n– Typical tools: Gateway, tracing.<\/p>\n\n\n\n
4) CI safety for clients\n– Context: Large front-end teams pushing query changes.\n– Problem: New queries unintentionally deep.\n– Why depth helps: Prevent regressions in CI before deploy.\n– What to measure: CI linter violations, pre-deploy query depth.\n– Typical tools: Static analyzers, pre-commit hooks.<\/p>\n\n\n\n
5) Serverless cost stabilization\n– Context: GraphQL served by serverless functions.\n– Problem: Deep queries multiply function invocations and cost.\n– Why depth helps: Reject or degrade high-depth queries that spike costs.\n– What to measure: Cost per invocation by depth bucket.\n– Typical tools: Cloud cost platform, serverless monitoring.<\/p>\n\n\n\n
6) Performance regression detection\n– Context: Mature service with performance SLAs.\n– Problem: New releases degrade response times due to deeper queries.\n– Why depth helps: Correlate depth trends with latency regressions.\n– What to measure: p95 latency by depth, change in median depth over time.\n– Typical tools: APM, dashboards.<\/p>\n\n\n\n
7) Debugging N+1 problems\n– Context: Resolvers causing multiple DB calls.\n– Problem: Deep selections trigger N+1 and heavy DB I\/O.\n– Why depth helps: Flag high-depth requests and prioritize optimizing resolvers.\n– What to measure: DB calls per request, rows scanned per depth.\n– Typical tools: DataLoader, tracing.<\/p>\n\n\n\n
8) Security hardening\n– Context: Security team defending APIs.\n– Problem: Attackers use nested queries to exfiltrate or probe services.\n– Why depth helps: Reduce attack surface by limiting deep queries and flagging anomalies.\n– What to measure: Blocked attempts, source IP patterns.\n– Typical tools: WAF, SIEM.<\/p>\n\n\n\n
9) Rate limiting complement\n– Context: High traffic service with rate limits.\n– Problem: Some clients consume disproportionate resources despite request counts within rate limits.\n– Why depth helps: Provide resource-aware admission beyond request count.\n– What to measure: Resource cost per request by depth.\n– Typical tools: Token bucket rate limiter augmented with depth check.<\/p>\n\n\n\n
10) UX-driven aggregation\n– Context: Client needs one deep query to render UI.\n– Problem: Restrictive depth policies force many round trips.\n– Why depth helps: Quantify legitimate deep queries and design backend aggregators.\n– What to measure: End-to-end latency for aggregated backend route.\n– Typical tools: Backend resolvers, gateway policies.<\/p>\n\n\n\n
Context:<\/strong> A federated GraphQL gateway runs on Kubernetes and aggregates 15 microservices.\nGoal:<\/strong> Prevent gateway overload from deep federated queries while preserving client UX.\nWhy GraphQL Query Depth matters here:<\/strong> Gateway-parsed depth alone underestimates total remote calls; deep queries can produce many downstream requests.\nArchitecture \/ workflow:<\/strong> Gateway ingress \u2192 depth computation + federated-aware estimator \u2192 accept\/tag\/reject \u2192 route to services on K8s \u2192 sidecar tracing.\nStep-by-step implementation:<\/strong><\/p>\n\n\n\n Context:<\/strong> GraphQL API implemented as edge Lambda functions with many third-party calls.\nGoal:<\/strong> Prevent cost surges from deeply nested queries.\nWhy GraphQL Query Depth matters here:<\/strong> Each nested selection triggers additional Lambda invocations or external API calls.\nArchitecture \/ workflow:<\/strong> CDN edge \u2192 Lambda@Edge compute depth \u2192 enforce policy \u2192 call backend services.\nStep-by-step implementation:<\/strong><\/p>\n\n\n\n Context:<\/strong> After deployment, p99 latency spikes for a key operation.\nGoal:<\/strong> Rapidly determine whether deep queries caused the incident and mitigate.\nWhy GraphQL Query Depth matters here:<\/strong> Large depth incidents often increase tail latency and background amplification.\nArchitecture \/ workflow:<\/strong> Observability alerts \u2192 on-call pulls depth-correlated dashboards \u2192 temporary gateway throttling for depth > X \u2192 rollback candidate deployed.\nStep-by-step implementation:<\/strong><\/p>\n\n\n\n Context:<\/strong> A mobile client requires a single query to render a rich page.\nGoal:<\/strong> Balance client performance needs against backend cost from deep nested queries.\nWhy GraphQL Query Depth matters here:<\/strong> Allowing deep queries improves UX but may spike cost and backend load.\nArchitecture \/ workflow:<\/strong> Client \u2192 GraphQL server \u2192 aggregator resolver that performs optimized queries \u2192 cache results.\nStep-by-step implementation:<\/strong><\/p>\n\n\n\n List of 20 mistakes with Symptom -> Root cause -> Fix. Include observability pitfalls.<\/p>\n\n\n\n 1) Symptom: Surprising production latency after deploy -> Root cause: New query with hidden fragment increased depth -> Fix: Add CI depth checks and fragment expansion tests.\n2) Symptom: High DB connections exhaustion -> Root cause: Deep queries causing many resolver calls -> Fix: Introduce batching or DataLoader and depth limits.\n3) Symptom: Sudden serverless bill spike -> Root cause: Deep queries multiplied remote calls -> Fix: Gate depth at edge and set budget alerts.\n4) Symptom: Frequent gateway CPU spikes -> Root cause: Heavy runtime depth computation inline in hot path -> Fix: Move to lightweight parser or sidecar and cache results.\n5) Symptom: False negatives in depth enforcement -> Root cause: Directives change runtime structure -> Fix: Evaluate conditional branches or enforce runtime checks.\n6) Symptom: Legitimate clients blocked -> Root cause: One-size-fits-all threshold -> Fix: Per-client exceptions or grace policy.\n7) Symptom: Missing traces for deep requests -> Root cause: Sampling policy drops traces disproportionately -> Fix: Ensure sampling keeps high-depth requests.\n8) Symptom: Alert fatigue on depth breaches -> Root cause: Poor thresholds and noisy alerting -> Fix: Adjust thresholds, group alerts, use suppression rules.\n9) Symptom: Underestimated federation load -> Root cause: Gateway depth not counting remote federated calls -> Fix: Create federated amplification model.\n10) Symptom: CI slows down -> Root cause: Complex depth analyses run for every commit -> Fix: Optimize linter or run on schedule for heavy checks.\n11) Symptom: Incorrect billing attribution -> Root cause: Cost not tagged with depth metrics -> Fix: Tag traces and map to billing exports.\n12) Symptom: Depth enforcement bypassed -> Root cause: Aliases and repeated fields obfuscate patterns -> Fix: Normalise queries before analysis.\n13) Symptom: Observability blindspots in dashboards -> Root cause: Depth metric name mismatch across services -> Fix: Standardize metric naming and schemas.\n14) Symptom: Overrestrictive UX changes -> Root cause: Blocking deep queries that are legitimate -> Fix: Provide client guidance and alternative endpoints.\n15) Symptom: N+1 problems masked by depth policies -> Root cause: Depth limits hide but do not fix resolver inefficiency -> Fix: Optimize resolvers and implement DataLoader.\n16) Symptom: Fragment usage creates variable depth -> Root cause: Nested fragment referencing itself indirectly -> Fix: Detect cycles and flatten fragments in analysis.\n17) Symptom: Partial outages during bursts -> Root cause: Throttling applied without grace periods -> Fix: Implement backpressure and gradual throttles.\n18) Symptom: Misleading dashboards showing low depth -> Root cause: Instrumentation not tagging depth consistently -> Fix: Ensure middleware adds depth tag before sampling.\n19) Symptom: Security alert noise -> Root cause: Introspection queries flagged as deep -> Fix: Whitelist safe introspection or rate-limit separately.\n20) Symptom: Developers confused about policies -> Root cause: Poor documentation of depth thresholds and mitigation -> Fix: Publish policy, examples, and runbook.<\/p>\n\n\n\n Observability pitfalls (at least 5 included above):<\/p>\n\n\n\n Ownership and on-call<\/p>\n\n\n\n Runbooks vs playbooks<\/p>\n\n\n\n Safe deployments (canary\/rollback)<\/p>\n\n\n\n Toil reduction and automation<\/p>\n\n\n\n Security basics<\/p>\n\n\n\n Weekly\/monthly routines<\/p>\n\n\n\n Postmortem reviews<\/p>\n\n\n\n ID | Category | What it does | Key integrations | Notes\n| — | — | — | — | — |\nI1 | Gateway Middleware | Computes and enforces depth at edge | Tracing, metrics, WAF | Best for public APIs\nI2 | Server Middleware | Depth compute inside server | Prometheus, OpenTelemetry | Simple to integrate\nI3 | CI Linter | Static depth checks in CI | Git, CI systems | Prevents regressions\nI4 | Tracing | Correlate depth with traces | APM, OpenTelemetry | Essential for root cause\nI5 | Metrics Store | Aggregates depth histograms | Prometheus, metrics backends | Use bucketed histograms\nI6 | Federation Orchestrator | Estimate federated amplification | Tracing, gateway | Must be federation-aware\nI7 | Sidecar | Non-invasive depth enforcement | Kubernetes, Envoy | Useful for legacy servers\nI8 | Cost Platform | Map depth to billing | Cloud billing exports | Requires accurate tagging\nI9 | Security Gateway | Block malicious deep queries | SIEM, WAF | Tie into incident response\nI10 | Load Test Tools | Simulate deep queries | CI, chaos platforms | Validate policies at scale<\/p>\n\n\n\n None<\/p>\n\n\n\n A level counts each selection layer from the operation root through nested fields and inline fragments until a scalar leaf.<\/p>\n\n\n\n Yes, when fragments contain nested selections they increase effective depth; fragment references should be expanded during analysis.<\/p>\n\n\n\n Directives like @include and @skip can make static depth variable; either evaluate with typical variables or do runtime checks.<\/p>\n\n\n\n No. Depth is a coarse control and should be combined with complexity scoring, rate limits, and observability.<\/p>\n\n\n\n Varies \/ depends. Many public APIs start with 3\u20136; internal systems may allow higher values with additional checks.<\/p>\n\n\n\n Use per-client exceptions, backend aggregation resolvers, or a higher SLO-backed quota for trusted clients.<\/p>\n\n\n\n Yes, but ensure parsing cost is low; sidecars or lightweight parsers are preferred for high-throughput edges.<\/p>\n\n\n\n Use a federated amplification model that maps selection to estimated remote call counts rather than relying on AST depth alone.<\/p>\n\n\n\n Yes. Tag traces with depth to correlate complexity with latency, errors, and cost.<\/p>\n\n\n\n Normalize queries before analysis so aliases do not obfuscate repeated selections.<\/p>\n\n\n\n Treat introspection specially: rate-limit, whitelist for trusted clients, or run under separate quotas.<\/p>\n\n\n\n Use exponential buckets like 0-2-4-8-16 to capture both common shallow queries and rare deep ones.<\/p>\n\n\n\n Yes; for subscription initial payloads compute depth; for ongoing updates monitor payload size and resolver behavior.<\/p>\n\n\n\n Depth itself doesn\u2019t affect cacheability, but deeper queries often touch more cache keys and reduce cache effectiveness.<\/p>\n\n\n\n Fragment recursion is when fragments reference themselves indirectly; detect cycles during AST traversal and fail analysis.<\/p>\n\n\n\n Start with soft enforcement (tagging and warnings) in production; move to hard rejects after observing client impact.<\/p>\n\n\n\n Tag traces and aggregate cloud cost attributions by trace tags, then map cost to depth buckets for billing.<\/p>\n\n\n\n At least quarterly or when backend architecture or cost structures change.<\/p>\n\n\n\n Yes, attackers may shard queries; combine depth checks with rate limits and anomaly detection.<\/p>\n\n\n\n GraphQL Query Depth is a practical, pre-execution metric to bound structural complexity of GraphQL operations. In modern cloud-native and federated architectures it reduces risk of amplification, curbs cost spikes, and provides a useful SLI dimension. Treat depth as one part of a layered defense: combine with complexity scoring, tracing, and adaptive policies. Start with visibility, iterate thresholds based on telemetry, and automate enforcement in a gradual, client-aware manner.<\/p>\n\n\n\n Next 7 days plan<\/p>\n\n\n\n GraphQL depth middleware<\/p>\n<\/li>\n Secondary keywords<\/p>\n<\/li>\n depth policy<\/p>\n<\/li>\n Long-tail questions<\/p>\n<\/li>\n GraphQL depth runbook example<\/p>\n<\/li>\n Related terminology<\/p>\n<\/li>\n —<\/p>\n","protected":false},"author":6,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-2319","post","type-post","status-publish","format-standard","hentry"],"yoast_head":"\n\n
Scenario #2 \u2014 Serverless: Protecting Lambdas from Cost Spikes<\/h3>\n\n\n\n
\n
Scenario #3 \u2014 Incident Response: Tail Latency Post-Deploy<\/h3>\n\n\n\n
\n
Scenario #4 \u2014 Cost\/Performance Trade-off: UX vs Backend Load<\/h3>\n\n\n\n
\n
\n\n\n\nCommon Mistakes, Anti-patterns, and Troubleshooting<\/h2>\n\n\n\n
\n
\n\n\n\nBest Practices & Operating Model<\/h2>\n\n\n\n
\n
\n
\n
\n
\n
\n
\n
\n\n\n\nTooling & Integration Map for GraphQL Query Depth (TABLE REQUIRED)<\/h2>\n\n\n\n
Row Details (only if needed)<\/h4>\n\n\n\n
\n\n\n\nFrequently Asked Questions (FAQs)<\/h2>\n\n\n\n
H3: What exactly counts as a level in depth?<\/h3>\n\n\n\n
H3: Do fragments increase depth?<\/h3>\n\n\n\n
H3: How do directives affect depth?<\/h3>\n\n\n\n
H3: Is depth sufficient to protect my API?<\/h3>\n\n\n\n
H3: What\u2019s a reasonable starting depth limit?<\/h3>\n\n\n\n
H3: How to handle legitimate deep queries?<\/h3>\n\n\n\n
H3: Can depth checks be performed at CDN or edge?<\/h3>\n\n\n\n
H3: How to account for federation when computing depth?<\/h3>\n\n\n\n
H3: Should I include depth in traces?<\/h3>\n\n\n\n
H3: How to prevent bypasses using aliases?<\/h3>\n\n\n\n
H3: What about introspection queries?<\/h3>\n\n\n\n
H3: How to choose histogram buckets for depth?<\/h3>\n\n\n\n
H3: Can depth be computed reliably for subscriptions?<\/h3>\n\n\n\n
H3: How does depth interact with caching?<\/h3>\n\n\n\n
H3: What is fragment recursion and how to detect it?<\/h3>\n\n\n\n
H3: Should enforcement be strict reject or soft warn?<\/h3>\n\n\n\n
H3: How do I attribute cost per query by depth?<\/h3>\n\n\n\n
H3: How often should I revisit depth thresholds?<\/h3>\n\n\n\n
H3: Can attackers circumvent depth by splitting queries?<\/h3>\n\n\n\n
\n\n\n\nConclusion<\/h2>\n\n\n\n
\n
\n\n\n\nAppendix \u2014 GraphQL Query Depth Keyword Cluster (SEO)<\/h2>\n\n\n\n
\n