The latest articles on DEV Community by Marco Cheung (@marco_cheung_). https://dev.to/marco_cheung_ https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3448262%2Fbbe70e51-b485-43d6-8b7a-c979843eb4f3.png https://dev.to/marco_cheung_ en Marco Cheung Wed, 10 Sep 2025 20:53:59 +0000 https://dev.to/marco_cheung_/server-side-rendering-the-security-reality-check-every-developer-needs-f13 https://dev.to/marco_cheung_/server-side-rendering-the-security-reality-check-every-developer-needs-f13 <p>Server-Side Rendering (SSR) has become increasingly popular for its performance benefits and SEO advantages. However, there's a dangerous misconception in the developer community: <strong>SSR is often mistakenly viewed as a security solution</strong>. Let's dive deep into what SSR actually protects and, more importantly, what it doesn't.</p> <h2> The SSR Security Misconception </h2> <p>Many developers believe that because SSR processes data on the server, it automatically makes their applications more secure. This leads to dangerous assumptions like:</p> <ul> <li>"If I check feature flags server-side, they're secure"</li> <li>"SSR-embedded config can't be tampered with"</li> <li>"Server-rendered auth checks protect my app"</li> </ul> <p><strong>These assumptions can create serious security vulnerabilities.</strong></p> <h2> What SSR Actually Does for Security </h2> <h3> ✅ 1. Keeps Server Secrets Server-Side </h3> <p>SSR excels at keeping sensitive server-only data truly private:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// ✅ Server-side secrets (NEVER sent to client)</span> <span class="kd">const</span> <span class="nx">serverSecrets</span> <span class="o">=</span> <span class="p">{</span> <span class="na">databasePassword</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DB_PASSWORD</span><span class="p">,</span> <span class="na">apiKeys</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">THIRD_PARTY_API_KEY</span><span class="p">,</span> <span class="na">jwtSecret</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">JWT_SECRET</span><span class="p">,</span> <span class="na">encryptionKeys</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">ENCRYPTION_KEY</span> <span class="p">}</span> <span class="c1">// ✅ Server-side processing with secrets</span> <span class="kd">const</span> <span class="nx">authHeader</span> <span class="o">=</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">INTERNAL_API_KEY</span><span class="p">}</span><span class="s2">`</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://internal-api.company.com/data</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="na">Authorization</span><span class="p">:</span> <span class="nx">authHeader</span> <span class="p">}</span> <span class="p">})</span> </code></pre> </div> <p><strong>Why this works:</strong> These secrets never leave the server environment and are never included in the client bundle or rendered HTML.</p> <h3> ✅ 2. Eliminates Client-Side Config Fetches </h3> <p>SSR can embed configuration directly into the initial HTML, eliminating the need for additional API calls:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// ✅ Server embeds config during render</span> <span class="kd">const</span> <span class="nx">configScript</span> <span class="o">=</span> <span class="s2">` window.__APP_CONFIG__ = </span><span class="p">${</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">apiEndpoint</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://api.example.com</span><span class="dl">'</span><span class="p">,</span> <span class="na">featureFlags</span><span class="p">:</span> <span class="p">{</span> <span class="na">newCheckout</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">darkMode</span><span class="p">:</span> <span class="kc">false</span> <span class="p">}</span> <span class="p">})}</span><span class="s2">; `</span> <span class="c1">// No separate XHR request needed - config available immediately</span> </code></pre> </div> <p><strong>Benefits:</strong></p> <ul> <li>Faster initial page load</li> <li>Reduced API server load</li> <li>Better user experience (no loading states for config)</li> </ul> <h2> What SSR Does NOT Protect Against </h2> <p>Here's where the dangerous misconceptions begin. SSR fails to protect against several critical attack vectors:</p> <h3> ❌ 1. Client-Side Data Tampering </h3> <p><strong>The Problem:</strong> Anything rendered into the client is visible and modifiable.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- ❌ This is visible in page source and modifiable at runtime --&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="nb">window</span><span class="p">.</span><span class="nx">__PRELOADED_STATE__</span> <span class="o">=</span> <span class="p">{</span> <span class="na">user</span><span class="p">:</span> <span class="p">{</span> <span class="na">role</span><span class="p">:</span> <span class="dl">'</span><span class="s1">admin</span><span class="dl">'</span><span class="p">,</span> <span class="na">creditLimit</span><span class="p">:</span> <span class="mi">10000</span> <span class="p">},</span> <span class="na">features</span><span class="p">:</span> <span class="p">{</span> <span class="na">requireTwoFactor</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">skipValidation</span><span class="p">:</span> <span class="kc">false</span> <span class="p">}</span> <span class="p">};</span> <span class="nt">&lt;/script&gt;</span> </code></pre> </div> <p><strong>Attack Example:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Attacker opens DevTools console:</span> <span class="nb">window</span><span class="p">.</span><span class="nx">__PRELOADED_STATE__</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">role</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">admin</span><span class="dl">'</span> <span class="nb">window</span><span class="p">.</span><span class="nx">__PRELOADED_STATE__</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">creditLimit</span> <span class="o">=</span> <span class="mi">999999</span> <span class="nb">window</span><span class="p">.</span><span class="nx">__PRELOADED_STATE__</span><span class="p">.</span><span class="nx">features</span><span class="p">.</span><span class="nx">skipValidation</span> <span class="o">=</span> <span class="kc">true</span> <span class="c1">// If client-side code trusts this data, security is compromised</span> </code></pre> </div> <h3> ❌ 2. Client-Side Security Logic Bypass </h3> <p><strong>The Problem:</strong> Security decisions made in client-side JavaScript can be bypassed.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// ❌ DANGEROUS: Client-side security check</span> <span class="kd">function</span> <span class="nf">submitPayment</span><span class="p">(</span><span class="nx">amount</span><span class="p">,</span> <span class="nx">cardNumber</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">maxLimit</span> <span class="o">=</span> <span class="nb">window</span><span class="p">.</span><span class="nx">__PRELOADED_STATE__</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">creditLimit</span> <span class="k">if </span><span class="p">(</span><span class="nx">amount</span> <span class="o">&gt;</span> <span class="nx">maxLimit</span><span class="p">)</span> <span class="p">{</span> <span class="nf">alert</span><span class="p">(</span><span class="dl">'</span><span class="s1">Amount exceeds your credit limit!</span><span class="dl">'</span><span class="p">)</span> <span class="k">return</span> <span class="c1">// ← Attacker can bypass this</span> <span class="p">}</span> <span class="c1">// Process payment...</span> <span class="p">}</span> </code></pre> </div> <p><strong>How attackers bypass this:</strong></p> <ol> <li> <strong>Runtime Modification:</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// In DevTools console:</span> <span class="nb">window</span><span class="p">.</span><span class="nx">__PRELOADED_STATE__</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">creditLimit</span> <span class="o">=</span> <span class="mi">999999</span> <span class="c1">// Now any amount will pass the check</span> </code></pre> </div> <ol> <li> <strong>Function Replacement:</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Replace the security function entirely:</span> <span class="nb">window</span><span class="p">.</span><span class="nx">submitPayment</span> <span class="o">=</span> <span class="kd">function</span><span class="p">(</span><span class="nx">amount</span><span class="p">,</span> <span class="nx">cardNumber</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Skip all checks, go straight to payment</span> <span class="nf">processPaymentDirectly</span><span class="p">(</span><span class="nx">amount</span><span class="p">,</span> <span class="nx">cardNumber</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <ol> <li> <strong>DOM Manipulation:</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Modify form validation</span> <span class="nb">document</span><span class="p">.</span><span class="nf">querySelector</span><span class="p">(</span><span class="dl">'</span><span class="s1">#payment-form</span><span class="dl">'</span><span class="p">).</span><span class="nx">onsubmit</span> <span class="o">=</span> <span class="kc">null</span> <span class="c1">// Remove all client-side validation</span> </code></pre> </div> <h3> ❌ 3. Direct API Attacks </h3> <p><strong>The Problem:</strong> Attackers can bypass your entire UI and call your APIs directly.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># ❌ Attacker discovers your API endpoints and calls them directly</span> curl <span class="nt">-X</span> POST https://yoursite.com/api/payment <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer stolen_or_manipulated_token"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{ "amount": 1, "currency": "USD", "skipValidation": true, "userRole": "admin" }'</span> </code></pre> </div> <p><strong>Common direct attack scenarios:</strong></p> <ul> <li>Payment amount manipulation</li> <li>Feature flag bypassing</li> <li>Role elevation</li> <li>Validation skipping</li> <li>Rate limit circumvention</li> </ul> <h3> ❌ 4. Feature Flag Security Theater </h3> <p>This is particularly dangerous in modern applications:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// ❌ Client-side feature flag "security"</span> <span class="kd">function</span> <span class="nf">handleSensitiveOperation</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">canAccess</span> <span class="o">=</span> <span class="nb">window</span><span class="p">.</span><span class="nx">__FEATURE_FLAGS__</span><span class="p">.</span><span class="nx">adminAccess</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">canAccess</span><span class="p">)</span> <span class="p">{</span> <span class="nf">showAccessDenied</span><span class="p">()</span> <span class="k">return</span> <span class="p">}</span> <span class="nf">performSensitiveOperation</span><span class="p">()</span> <span class="c1">// ← Can be bypassed</span> <span class="p">}</span> </code></pre> </div> <p><strong>Why this fails:</strong></p> <ul> <li>Flags are visible in page source</li> <li>Can be modified at runtime</li> <li>Provide false sense of security</li> <li>Don't protect the actual API endpoints</li> </ul> <h2> Real-World Attack Examples </h2> <h3> Example 1: E-commerce Price Manipulation </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// ❌ Vulnerable client-side pricing</span> <span class="nb">window</span><span class="p">.</span><span class="nx">__PRELOADED_STATE__</span> <span class="o">=</span> <span class="p">{</span> <span class="na">cart</span><span class="p">:</span> <span class="p">{</span> <span class="na">items</span><span class="p">:</span> <span class="p">[{</span> <span class="na">id</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">price</span><span class="p">:</span> <span class="mi">100</span><span class="p">,</span> <span class="na">quantity</span><span class="p">:</span> <span class="mi">1</span> <span class="p">}],</span> <span class="na">total</span><span class="p">:</span> <span class="mi">100</span><span class="p">,</span> <span class="na">discountEligible</span><span class="p">:</span> <span class="kc">false</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Attacker modifies:</span> <span class="nb">window</span><span class="p">.</span><span class="nx">__PRELOADED_STATE__</span><span class="p">.</span><span class="nx">cart</span><span class="p">.</span><span class="nx">total</span> <span class="o">=</span> <span class="mi">1</span> <span class="nb">window</span><span class="p">.</span><span class="nx">__PRELOADED_STATE__</span><span class="p">.</span><span class="nx">cart</span><span class="p">.</span><span class="nx">discountEligible</span> <span class="o">=</span> <span class="kc">true</span> <span class="c1">// If server trusts client data, they pay $1 instead of $100</span> </code></pre> </div> <h3> Example 2: Authentication Bypass </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// ❌ Client-side auth state</span> <span class="nb">window</span><span class="p">.</span><span class="nx">__USER_STATE__</span> <span class="o">=</span> <span class="p">{</span> <span class="na">isAuthenticated</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="dl">'</span><span class="s1">guest</span><span class="dl">'</span><span class="p">,</span> <span class="na">permissions</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">read</span><span class="dl">'</span><span class="p">]</span> <span class="p">}</span> <span class="c1">// Attacker escalates:</span> <span class="nb">window</span><span class="p">.</span><span class="nx">__USER_STATE__</span><span class="p">.</span><span class="nx">isAuthenticated</span> <span class="o">=</span> <span class="kc">true</span> <span class="nb">window</span><span class="p">.</span><span class="nx">__USER_STATE__</span><span class="p">.</span><span class="nx">role</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">admin</span><span class="dl">'</span> <span class="nb">window</span><span class="p">.</span><span class="nx">__USER_STATE__</span><span class="p">.</span><span class="nx">permissions</span> <span class="o">=</span> <span class="p">[</span><span class="dl">'</span><span class="s1">read</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">write</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">delete</span><span class="dl">'</span><span class="p">]</span> </code></pre> </div> <h3> Example 3: Two-Factor Authentication Skip </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// ❌ Client-side 2FA flag</span> <span class="kd">const</span> <span class="nx">requires2FA</span> <span class="o">=</span> <span class="nb">window</span><span class="p">.</span><span class="nx">__SECURITY_CONFIG__</span><span class="p">.</span><span class="nx">twoFactorRequired</span> <span class="k">if </span><span class="p">(</span><span class="nx">requires2FA</span><span class="p">)</span> <span class="p">{</span> <span class="nf">showTwoFactorPrompt</span><span class="p">()</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nf">proceedToSecureArea</span><span class="p">()</span> <span class="c1">// ← Attacker sets flag to false</span> <span class="p">}</span> </code></pre> </div> <h2> The Correct Security Architecture </h2> <h3> ✅ Defense in Depth: Server-Side Validation </h3> <p><strong>Golden Rule: Never trust the client for security decisions.</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// ✅ SECURE: Server-side validation</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/payment</span><span class="dl">'</span><span class="p">,</span> <span class="nx">authenticateUser</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// 1. Server determines user's actual limits</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getUserFromDatabase</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">actualCreditLimit</span> <span class="o">=</span> <span class="nx">user</span><span class="p">.</span><span class="nx">creditLimit</span> <span class="c1">// 2. Server validates against real data</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">amount</span> <span class="o">&gt;</span> <span class="nx">actualCreditLimit</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Amount exceeds credit limit</span><span class="dl">'</span><span class="p">,</span> <span class="na">maxAllowed</span><span class="p">:</span> <span class="nx">actualCreditLimit</span> <span class="p">})</span> <span class="p">}</span> <span class="c1">// 3. Server determines feature access</span> <span class="kd">const</span> <span class="nx">serverFeatureFlags</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getFeatureFlags</span><span class="p">(</span><span class="nx">user</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">serverFeatureFlags</span><span class="p">.</span><span class="nx">paymentEnabled</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">403</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Feature not available</span><span class="dl">'</span> <span class="p">})</span> <span class="p">}</span> <span class="c1">// 4. Process with server-side validation</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">processPayment</span><span class="p">({</span> <span class="na">amount</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">amount</span><span class="p">,</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">validatedLimits</span><span class="p">:</span> <span class="nx">actualCreditLimit</span> <span class="p">})</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span><span class="nx">result</span><span class="p">)</span> <span class="p">})</span> </code></pre> </div> <h3> ✅ Client-Side: UX Only </h3> <p>Use client-side data purely for user experience, never for security:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// ✅ Client-side: UX hints only</span> <span class="kd">function</span> <span class="nf">PaymentForm</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">suggestedLimit</span> <span class="o">=</span> <span class="nb">window</span><span class="p">.</span><span class="nx">__PRELOADED_STATE__</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">creditLimit</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">form</span> <span class="nx">onSubmit</span><span class="o">=</span><span class="p">{</span><span class="nx">handleSubmit</span><span class="p">}</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">input</span> <span class="nx">type</span><span class="o">=</span><span class="dl">"</span><span class="s2">number</span><span class="dl">"</span> <span class="nx">placeholder</span><span class="o">=</span><span class="p">{</span><span class="s2">`Suggested max: $</span><span class="p">${</span><span class="nx">suggestedLimit</span><span class="p">}</span><span class="s2">`</span><span class="p">}</span> <span class="c1">// ↑ Just a UX hint, not enforced</span> <span class="sr">/</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">button</span> <span class="nx">type</span><span class="o">=</span><span class="dl">"</span><span class="s2">submit</span><span class="dl">"</span><span class="o">&gt;</span> <span class="nx">Pay</span> <span class="nx">Now</span> <span class="p">{</span><span class="cm">/* Server will validate everything */</span><span class="p">}</span> <span class="o">&lt;</span><span class="sr">/button</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/form</span><span class="err">&gt; </span> <span class="p">)</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">handleSubmit</span><span class="p">(</span><span class="nx">formData</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Let server make all security decisions</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/payment</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">formData</span><span class="p">)</span> <span class="p">})</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">response</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Handle server's security rejections</span> <span class="kd">const</span> <span class="nx">error</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="nf">showError</span><span class="p">(</span><span class="nx">error</span><span class="p">.</span><span class="nx">message</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> ✅ Progressive Enhancement Pattern </h3> <p>Build your security assuming the worst:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// ✅ Assume client is compromised</span> <span class="kd">const</span> <span class="nx">securePaymentFlow</span> <span class="o">=</span> <span class="p">{</span> <span class="c1">// 1. Client: Optimistic UX (can be bypassed)</span> <span class="na">clientValidation</span><span class="p">:</span> <span class="p">(</span><span class="nx">amount</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Show immediate feedback for good UX</span> <span class="c1">// But never rely on this for security</span> <span class="k">return</span> <span class="nx">amount</span> <span class="o">&gt;</span> <span class="mi">0</span> <span class="o">&amp;&amp;</span> <span class="nx">amount</span> <span class="o">&lt;=</span> <span class="nx">suggestedLimit</span> <span class="p">},</span> <span class="c1">// 2. Server: Real validation (cannot be bypassed)</span> <span class="na">serverValidation</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">userId</span><span class="p">,</span> <span class="nx">amount</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">users</span><span class="p">.</span><span class="nf">findById</span><span class="p">(</span><span class="nx">userId</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">actualLimit</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">calculateCreditLimit</span><span class="p">(</span><span class="nx">user</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="nx">amount</span> <span class="o">&gt;</span> <span class="nx">actualLimit</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">SecurityError</span><span class="p">(</span><span class="dl">'</span><span class="s1">Amount exceeds verified limit</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="kc">true</span> <span class="p">},</span> <span class="c1">// 3. Payment processor: Final validation</span> <span class="na">processPayment</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">validatedAmount</span><span class="p">,</span> <span class="nx">verifiedUser</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Triple validation at payment processor level</span> <span class="k">return</span> <span class="k">await</span> <span class="nx">paymentProvider</span><span class="p">.</span><span class="nf">charge</span><span class="p">(</span><span class="nx">validatedAmount</span><span class="p">,</span> <span class="nx">verifiedUser</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Testing Your Security </h2> <h3> Security Audit Checklist </h3> <p><strong>❌ Vulnerable patterns to look for:</strong></p> <ol> <li> <strong>Client-side security decisions:</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// DANGER: Security logic in client code</span> <span class="k">if </span><span class="p">(</span><span class="nx">userRole</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">admin</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="nf">showAdminPanel</span><span class="p">()</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">amount</span> <span class="o">&lt;=</span> <span class="nx">creditLimit</span><span class="p">)</span> <span class="p">{</span> <span class="nf">processPayment</span><span class="p">()</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">featureEnabled</span><span class="p">)</span> <span class="p">{</span> <span class="nf">allowAccess</span><span class="p">()</span> <span class="p">}</span> </code></pre> </div> <ol> <li> <strong>Trusting client data:</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// DANGER: Server trusting client input</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/action</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">isAdmin</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// ← Never trust this</span> <span class="nf">performAdminAction</span><span class="p">()</span> <span class="p">}</span> <span class="p">})</span> </code></pre> </div> <ol> <li> <strong>Security through obscurity:</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// DANGER: Hiding instead of protecting</span> <span class="kd">const</span> <span class="nx">hiddenApiKey</span> <span class="o">=</span> <span class="nb">window</span><span class="p">.</span><span class="nx">__CONFIG__</span><span class="p">.</span><span class="nx">secretKey</span> <span class="c1">// ← Still visible</span> </code></pre> </div> <h3> Penetration Testing Exercise </h3> <p>Test your own application:</p> <ol> <li> <strong>Open DevTools</strong> → Console</li> <li> <strong>Examine global variables:</strong> <code>console.log(window)</code> </li> <li> <strong>Modify security-related data:</strong> Change user roles, limits, flags</li> <li> <strong>Test if changes affect behavior:</strong> Can you bypass restrictions?</li> <li> <strong>Try direct API calls:</strong> Use curl or Postman to bypass UI</li> <li> <strong>Check network requests:</strong> Look for sensitive data in responses</li> </ol> <p>If any of these tests reveal vulnerabilities, you have client-side security issues.</p> <h2> Best Practices Summary </h2> <h3> ✅ DO: </h3> <ul> <li>Use SSR for performance and UX</li> <li>Keep secrets server-side only</li> <li>Validate everything server-side</li> <li>Treat client data as user input (untrusted)</li> <li>Use defense in depth</li> <li>Test with adversarial mindset</li> </ul> <h3> ❌ DON'T: </h3> <ul> <li>Trust client-side security checks</li> <li>Put security logic in JavaScript</li> <li>Rely on "hidden" client data</li> <li>Trust feature flags for access control</li> <li>Skip server-side validation</li> <li>Assume SSR = security</li> </ul> <h2> Conclusion </h2> <p>Server-Side Rendering is a powerful tool for performance and user experience, but it's not a security solution. The moment any data touches the client - whether through SSR, API calls, or client-side code - it should be considered compromised from a security perspective.</p> <p><strong>Remember:</strong> SSR can hide your secrets and improve performance, but it cannot protect your application from determined attackers. Security must be implemented server-side, with client-side code treated as purely cosmetic.</p> <p>Build your applications assuming the client is hostile, validate everything server-side, and use SSR for what it's great at: delivering fast, SEO-friendly user experiences.</p> <p><em>Security is not about making attacks impossible; it's about making them pointless because the server validates everything anyway.</em></p> <h2> Additional Resources </h2> <ul> <li><a href="https://owasp.org/www-project-top-ten/" rel="noopener noreferrer">OWASP Client-Side Security Risks</a></li> <li><a href="https://developer.mozilla.org/en-US/docs/Web/Security" rel="noopener noreferrer">MDN Web Security Guidelines</a></li> <li><a href="https://www.nist.gov/cyberframework" rel="noopener noreferrer">NIST Cybersecurity Framework</a></li> </ul> <p><strong>About the Author:</strong> This article is based on real-world experience building secure e-commerce applications with server-side rendering, including hands-on analysis of production SSR implementations and their security implications.</p> webdev programming javascript ssr Marco Cheung Thu, 21 Aug 2025 13:27:33 +0000 https://dev.to/marco_cheung_/defensive-programming-the-hidden-dangers-of-spread-operators-in-request-payloads-2mda https://dev.to/marco_cheung_/defensive-programming-the-hidden-dangers-of-spread-operators-in-request-payloads-2mda <h2> The Problem: When Convenience Becomes a Security Risk </h2> <p>The JavaScript spread operator (<code>...</code>) is one of the most convenient features in modern JavaScript and TypeScript. It allows us to easily merge objects, clone arrays, and pass multiple arguments to functions. However, when it comes to constructing request payloads—especially for APIs with strict schemas like GraphQL—the spread operator can become a dangerous tool that introduces runtime errors and security vulnerabilities.</p> <h2> The Spread Operator Trap </h2> <h3> What Seems Convenient... </h3> <p>Consider this common pattern when building API request payloads:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ❌ Dangerous: Using spread operator for payload construction</span> <span class="kd">const</span> <span class="nx">createUserPayload</span> <span class="o">=</span> <span class="p">{</span> <span class="p">...</span><span class="nx">userFormData</span><span class="p">,</span> <span class="c1">// Contains: name, email, age, debugInfo, internalFlags</span> <span class="p">...</span><span class="nx">additionalData</span><span class="p">,</span> <span class="c1">// Contains: preferences, metadata, tempId</span> <span class="p">...</span><span class="nx">featureFlags</span><span class="p">,</span> <span class="c1">// Contains: enableBeta, debugMode, adminAccess</span> <span class="na">operation</span><span class="p">:</span> <span class="dl">'</span><span class="s1">CREATE_USER</span><span class="dl">'</span> <span class="p">}</span> <span class="c1">// Send to GraphQL API</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">graphqlClient</span><span class="p">.</span><span class="nf">mutate</span><span class="p">({</span> <span class="na">mutation</span><span class="p">:</span> <span class="nx">CREATE_USER_MUTATION</span><span class="p">,</span> <span class="na">variables</span><span class="p">:</span> <span class="p">{</span> <span class="na">input</span><span class="p">:</span> <span class="nx">createUserPayload</span> <span class="p">}</span> <span class="p">})</span> </code></pre> </div> <h3> ...Can Break in Production </h3> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="c"># GraphQL Schema only accepts these fields:</span><span class="w"> </span><span class="k">input</span><span class="w"> </span><span class="n">CreateUserInput</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">name</span><span class="p">:</span><span class="w"> </span><span class="nb">String</span><span class="p">!</span><span class="w"> </span><span class="n">email</span><span class="p">:</span><span class="w"> </span><span class="nb">String</span><span class="p">!</span><span class="w"> </span><span class="n">age</span><span class="p">:</span><span class="w"> </span><span class="nb">Int</span><span class="w"> </span><span class="n">preferences</span><span class="p">:</span><span class="w"> </span><span class="n">UserPreferences</span><span class="w"> </span><span class="n">operation</span><span class="p">:</span><span class="w"> </span><span class="nb">String</span><span class="p">!</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Runtime Error:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GraphQL Error: Field "debugInfo" is not defined by type "CreateUserInput" GraphQL Error: Field "internalFlags" is not defined by type "CreateUserInput" GraphQL Error: Field "tempId" is not defined by type "CreateUserInput" GraphQL Error: Field "debugMode" is not defined by type "CreateUserInput" GraphQL Error: Field "adminAccess" is not defined by type "CreateUserInput" </code></pre> </div> <h2> Why TypeScript Can't Save You </h2> <h3> Compile-Time Limitations </h3> <p>TypeScript's type checking has limitations when it comes to spread operators and dynamic object construction:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kr">interface</span> <span class="nx">UserFormData</span> <span class="p">{</span> <span class="nl">name</span><span class="p">:</span> <span class="kr">string</span> <span class="nx">email</span><span class="p">:</span> <span class="kr">string</span> <span class="nx">age</span><span class="p">:</span> <span class="kr">number</span> <span class="c1">// TypeScript doesn't know about these at compile time:</span> <span class="p">[</span><span class="nx">key</span><span class="p">:</span> <span class="kr">string</span><span class="p">]:</span> <span class="kr">any</span> <span class="c1">// Index signature allows anything</span> <span class="p">}</span> <span class="kr">interface</span> <span class="nx">CreateUserInput</span> <span class="p">{</span> <span class="nl">name</span><span class="p">:</span> <span class="kr">string</span> <span class="nx">email</span><span class="p">:</span> <span class="kr">string</span> <span class="nx">age</span><span class="p">?:</span> <span class="kr">number</span> <span class="nx">operation</span><span class="p">:</span> <span class="kr">string</span> <span class="p">}</span> <span class="c1">// ❌ TypeScript allows this, but it's dangerous</span> <span class="kd">const</span> <span class="nx">payload</span><span class="p">:</span> <span class="nx">CreateUserInput</span> <span class="o">=</span> <span class="p">{</span> <span class="p">...</span><span class="nx">userFormData</span><span class="p">,</span> <span class="c1">// May contain extra fields</span> <span class="na">operation</span><span class="p">:</span> <span class="dl">'</span><span class="s1">CREATE_USER</span><span class="dl">'</span> <span class="p">}</span> <span class="c1">// No compile-time error, but runtime failure guaranteed</span> </code></pre> </div> <h3> The Index Signature Problem </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ❌ Common anti-pattern that defeats TypeScript's safety</span> <span class="kr">interface</span> <span class="nx">FormData</span> <span class="p">{</span> <span class="p">[</span><span class="nx">key</span><span class="p">:</span> <span class="kr">string</span><span class="p">]:</span> <span class="kr">any</span> <span class="c1">// This disables type checking</span> <span class="p">}</span> <span class="c1">// ❌ Or using 'any' type</span> <span class="kd">const</span> <span class="nx">buildPayload</span> <span class="o">=</span> <span class="p">(</span><span class="nx">data</span><span class="p">:</span> <span class="kr">any</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="p">...</span><span class="nx">data</span><span class="p">,</span> <span class="na">timestamp</span><span class="p">:</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="p">})</span> </code></pre> </div> <h2> Real-World Attack Vectors </h2> <h3> 1. Debug Information Leakage </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ❌ Development debug info accidentally sent to production</span> <span class="kd">const</span> <span class="nx">orderPayload</span> <span class="o">=</span> <span class="p">{</span> <span class="p">...</span><span class="nx">orderData</span><span class="p">,</span> <span class="p">...</span><span class="nx">debugInfo</span><span class="p">,</span> <span class="c1">// Contains: userId, sessionId, internalNotes</span> <span class="p">...{</span> <span class="c1">// Development-only fields that shouldn't reach production</span> <span class="na">debugTimestamp</span><span class="p">:</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">(),</span> <span class="na">developerNotes</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Testing checkout flow</span><span class="dl">'</span><span class="p">,</span> <span class="na">internalCustomerId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">dev_12345</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> 2. Privilege Escalation </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ❌ User input accidentally includes admin fields</span> <span class="kd">const</span> <span class="nx">userInput</span> <span class="o">=</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">John Doe</span><span class="dl">'</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="dl">'</span><span class="s1">john@example.com</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Malicious user adds these fields:</span> <span class="na">isAdmin</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">permissions</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">DELETE_USERS</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">ACCESS_ADMIN_PANEL</span><span class="dl">'</span><span class="p">],</span> <span class="na">role</span><span class="p">:</span> <span class="dl">'</span><span class="s1">SUPER_ADMIN</span><span class="dl">'</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">updateUserPayload</span> <span class="o">=</span> <span class="p">{</span> <span class="p">...</span><span class="nx">userInput</span><span class="p">,</span> <span class="c1">// Blindly spreads potentially malicious data</span> <span class="na">updatedAt</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">()</span> <span class="p">}</span> </code></pre> </div> <h3> 3. Schema Evolution Breakage </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ❌ Old code breaks when API schema changes</span> <span class="kd">const</span> <span class="nx">legacyPayload</span> <span class="o">=</span> <span class="p">{</span> <span class="p">...</span><span class="nx">oldUserData</span><span class="p">,</span> <span class="c1">// Contains deprecated fields</span> <span class="p">...</span><span class="nx">newFeatureData</span><span class="p">,</span> <span class="c1">// Contains fields not yet in schema</span> <span class="p">...</span><span class="nx">experimentalData</span> <span class="c1">// Contains A/B test fields</span> <span class="p">}</span> <span class="c1">// API schema removed 'legacyField' and doesn't recognize 'experimentalField'</span> <span class="c1">// Result: Runtime errors in production</span> </code></pre> </div> <h2> Defensive Programming Solutions </h2> <h3> 1. Explicit Field Selection with Ramda's <code>pick</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">pick</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">ramda</span><span class="dl">'</span> <span class="c1">// ✅ Safe: Explicitly define allowed fields</span> <span class="kd">const</span> <span class="nx">ALLOWED_USER_FIELDS</span> <span class="o">=</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">name</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">email</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">age</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">preferences</span><span class="dl">'</span> <span class="p">]</span> <span class="k">as</span> <span class="kd">const</span> <span class="kd">const</span> <span class="nx">createUserPayload</span> <span class="o">=</span> <span class="p">{</span> <span class="p">...</span><span class="nf">pick</span><span class="p">(</span><span class="nx">ALLOWED_USER_FIELDS</span><span class="p">,</span> <span class="nx">userFormData</span><span class="p">),</span> <span class="na">operation</span><span class="p">:</span> <span class="dl">'</span><span class="s1">CREATE_USER</span><span class="dl">'</span> <span class="p">}</span> <span class="c1">// Only specified fields are included, everything else is filtered out</span> </code></pre> </div> <h3> 2. Schema-Based Validation </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ✅ Define strict interfaces without index signatures</span> <span class="kr">interface</span> <span class="nx">CreateUserInput</span> <span class="p">{</span> <span class="k">readonly</span> <span class="nx">name</span><span class="p">:</span> <span class="kr">string</span> <span class="k">readonly</span> <span class="nx">email</span><span class="p">:</span> <span class="kr">string</span> <span class="k">readonly</span> <span class="nx">age</span><span class="p">?:</span> <span class="kr">number</span> <span class="k">readonly</span> <span class="nx">preferences</span><span class="p">?:</span> <span class="nx">UserPreferences</span> <span class="k">readonly</span> <span class="nx">operation</span><span class="p">:</span> <span class="dl">'</span><span class="s1">CREATE_USER</span><span class="dl">'</span> <span class="p">}</span> <span class="c1">// ✅ Builder pattern for safe construction</span> <span class="kd">class</span> <span class="nc">UserPayloadBuilder</span> <span class="p">{</span> <span class="k">private</span> <span class="nx">payload</span><span class="p">:</span> <span class="nb">Partial</span><span class="o">&lt;</span><span class="nx">CreateUserInput</span><span class="o">&gt;</span> <span class="o">=</span> <span class="p">{}</span> <span class="nf">setName</span><span class="p">(</span><span class="nx">name</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="k">this</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">payload</span><span class="p">.</span><span class="nx">name</span> <span class="o">=</span> <span class="nx">name</span> <span class="k">return</span> <span class="k">this</span> <span class="p">}</span> <span class="nf">setEmail</span><span class="p">(</span><span class="nx">email</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="k">this</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">payload</span><span class="p">.</span><span class="nx">email</span> <span class="o">=</span> <span class="nx">email</span> <span class="k">return</span> <span class="k">this</span> <span class="p">}</span> <span class="nf">setAge</span><span class="p">(</span><span class="nx">age</span><span class="p">:</span> <span class="kr">number</span><span class="p">):</span> <span class="k">this</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">payload</span><span class="p">.</span><span class="nx">age</span> <span class="o">=</span> <span class="nx">age</span> <span class="k">return</span> <span class="k">this</span> <span class="p">}</span> <span class="nf">build</span><span class="p">():</span> <span class="nx">CreateUserInput</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="k">this</span><span class="p">.</span><span class="nx">payload</span><span class="p">.</span><span class="nx">name</span> <span class="o">||</span> <span class="o">!</span><span class="k">this</span><span class="p">.</span><span class="nx">payload</span><span class="p">.</span><span class="nx">email</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Name and email are required</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">payload</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">payload</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="na">age</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">payload</span><span class="p">.</span><span class="nx">age</span><span class="p">,</span> <span class="na">preferences</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">payload</span><span class="p">.</span><span class="nx">preferences</span><span class="p">,</span> <span class="na">operation</span><span class="p">:</span> <span class="dl">'</span><span class="s1">CREATE_USER</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Usage</span> <span class="kd">const</span> <span class="nx">payload</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">UserPayloadBuilder</span><span class="p">()</span> <span class="p">.</span><span class="nf">setName</span><span class="p">(</span><span class="nx">userFormData</span><span class="p">.</span><span class="nx">name</span><span class="p">)</span> <span class="p">.</span><span class="nf">setEmail</span><span class="p">(</span><span class="nx">userFormData</span><span class="p">.</span><span class="nx">email</span><span class="p">)</span> <span class="p">.</span><span class="nf">setAge</span><span class="p">(</span><span class="nx">userFormData</span><span class="p">.</span><span class="nx">age</span><span class="p">)</span> <span class="p">.</span><span class="nf">build</span><span class="p">()</span> </code></pre> </div> <h3> 3. Functional Approach with Type Guards </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ✅ Type-safe field extraction</span> <span class="kd">const</span> <span class="nx">extractUserFields</span> <span class="o">=</span> <span class="p">(</span><span class="nx">data</span><span class="p">:</span> <span class="nx">unknown</span><span class="p">):</span> <span class="nx">CreateUserInput</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nf">isValidUserData</span><span class="p">(</span><span class="nx">data</span><span class="p">))</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Invalid user data</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="nx">data</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="nx">data</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="na">age</span><span class="p">:</span> <span class="nx">data</span><span class="p">.</span><span class="nx">age</span><span class="p">,</span> <span class="na">preferences</span><span class="p">:</span> <span class="nx">data</span><span class="p">.</span><span class="nx">preferences</span><span class="p">,</span> <span class="na">operation</span><span class="p">:</span> <span class="dl">'</span><span class="s1">CREATE_USER</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Type guard function</span> <span class="kd">function</span> <span class="nf">isValidUserData</span><span class="p">(</span><span class="nx">data</span><span class="p">:</span> <span class="kr">any</span><span class="p">):</span> <span class="nx">data</span> <span class="k">is</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="kr">string</span> <span class="na">email</span><span class="p">:</span> <span class="kr">string</span> <span class="nx">age</span><span class="p">?:</span> <span class="kr">number</span> <span class="nx">preferences</span><span class="p">?:</span> <span class="nx">UserPreferences</span> <span class="p">}</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="k">typeof</span> <span class="nx">data</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">object</span><span class="dl">'</span> <span class="o">&amp;&amp;</span> <span class="k">typeof</span> <span class="nx">data</span><span class="p">.</span><span class="nx">name</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">string</span><span class="dl">'</span> <span class="o">&amp;&amp;</span> <span class="k">typeof</span> <span class="nx">data</span><span class="p">.</span><span class="nx">email</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">string</span><span class="dl">'</span> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">age</span> <span class="o">===</span> <span class="kc">undefined</span> <span class="o">||</span> <span class="k">typeof</span> <span class="nx">data</span><span class="p">.</span><span class="nx">age</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">number</span><span class="dl">'</span><span class="p">)</span> <span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h3> 4. Whitelist-Based Object Construction </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">pick</span><span class="p">,</span> <span class="nx">omit</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">ramda</span><span class="dl">'</span> <span class="c1">// ✅ Multiple layers of defense</span> <span class="kd">const</span> <span class="nx">buildSafePayload</span> <span class="o">=</span> <span class="p">(</span><span class="nx">rawData</span><span class="p">:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="kr">any</span><span class="o">&gt;</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Layer 1: Remove known dangerous fields</span> <span class="kd">const</span> <span class="nx">withoutDangerousFields</span> <span class="o">=</span> <span class="nf">omit</span><span class="p">([</span> <span class="dl">'</span><span class="s1">debugInfo</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">internalFlags</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">adminAccess</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">isAdmin</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">permissions</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">sessionId</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">authToken</span><span class="dl">'</span> <span class="p">],</span> <span class="nx">rawData</span><span class="p">)</span> <span class="c1">// Layer 2: Only include allowed fields</span> <span class="kd">const</span> <span class="nx">allowedFields</span> <span class="o">=</span> <span class="nf">pick</span><span class="p">([</span> <span class="dl">'</span><span class="s1">name</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">email</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">age</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">preferences</span><span class="dl">'</span> <span class="p">],</span> <span class="nx">withoutDangerousFields</span><span class="p">)</span> <span class="c1">// Layer 3: Explicit construction with validation</span> <span class="k">return</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="nc">String</span><span class="p">(</span><span class="nx">allowedFields</span><span class="p">.</span><span class="nx">name</span> <span class="o">||</span> <span class="dl">''</span><span class="p">).</span><span class="nf">trim</span><span class="p">(),</span> <span class="na">email</span><span class="p">:</span> <span class="nc">String</span><span class="p">(</span><span class="nx">allowedFields</span><span class="p">.</span><span class="nx">email</span> <span class="o">||</span> <span class="dl">''</span><span class="p">).</span><span class="nf">toLowerCase</span><span class="p">().</span><span class="nf">trim</span><span class="p">(),</span> <span class="na">age</span><span class="p">:</span> <span class="k">typeof</span> <span class="nx">allowedFields</span><span class="p">.</span><span class="nx">age</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">number</span><span class="dl">'</span> <span class="p">?</span> <span class="nx">allowedFields</span><span class="p">.</span><span class="nx">age</span> <span class="p">:</span> <span class="kc">undefined</span><span class="p">,</span> <span class="na">preferences</span><span class="p">:</span> <span class="nx">allowedFields</span><span class="p">.</span><span class="nx">preferences</span> <span class="o">||</span> <span class="p">{},</span> <span class="na">operation</span><span class="p">:</span> <span class="dl">'</span><span class="s1">CREATE_USER</span><span class="dl">'</span> <span class="k">as</span> <span class="kd">const</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Advanced Defensive Patterns </h2> <h3> 1. Runtime Schema Validation </h3> <p>Please refer to my another article<br> <a href="https://dev.to/marco_cheung_/client-side-graphql-variable-sanitization-preventing-runtime-errors-before-they-happen-kjn">https://dev.to/marco_cheung_/client-side-graphql-variable-sanitization-preventing-runtime-errors-before-they-happen-kjn</a></p> <h2> Performance Considerations </h2> <h3> Spread Operator Performance Impact </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ❌ Performance issues with large objects</span> <span class="kd">const</span> <span class="nx">hugeObject</span> <span class="o">=</span> <span class="p">{</span> <span class="cm">/* 10,000 properties */</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">anotherHugeObject</span> <span class="o">=</span> <span class="p">{</span> <span class="cm">/* 10,000 properties */</span> <span class="p">}</span> <span class="c1">// Creates new object with 20,000 properties - expensive!</span> <span class="kd">const</span> <span class="nx">combined</span> <span class="o">=</span> <span class="p">{</span> <span class="p">...</span><span class="nx">hugeObject</span><span class="p">,</span> <span class="p">...</span><span class="nx">anotherHugeObject</span><span class="p">,</span> <span class="na">newField</span><span class="p">:</span> <span class="dl">'</span><span class="s1">value</span><span class="dl">'</span> <span class="p">}</span> <span class="c1">// ✅ Better: Only pick what you need</span> <span class="kd">const</span> <span class="nx">optimized</span> <span class="o">=</span> <span class="p">{</span> <span class="p">...</span><span class="nf">pick</span><span class="p">([</span><span class="dl">'</span><span class="s1">field1</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">field2</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">field3</span><span class="dl">'</span><span class="p">],</span> <span class="nx">hugeObject</span><span class="p">),</span> <span class="p">...</span><span class="nf">pick</span><span class="p">([</span><span class="dl">'</span><span class="s1">field4</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">field5</span><span class="dl">'</span><span class="p">],</span> <span class="nx">anotherHugeObject</span><span class="p">),</span> <span class="na">newField</span><span class="p">:</span> <span class="dl">'</span><span class="s1">value</span><span class="dl">'</span> <span class="p">}</span> </code></pre> </div> <h3> Memory Usage Comparison </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ❌ Memory inefficient</span> <span class="kd">const</span> <span class="nx">createPayloads</span> <span class="o">=</span> <span class="p">(</span><span class="nx">users</span><span class="p">:</span> <span class="nx">User</span><span class="p">[])</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">users</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">user</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="p">...</span><span class="nx">user</span><span class="p">,</span> <span class="c1">// Copies all user fields (potentially 50+ fields)</span> <span class="p">...</span><span class="nx">user</span><span class="p">.</span><span class="nx">profile</span><span class="p">,</span> <span class="c1">// Copies all profile fields (potentially 30+ fields) </span> <span class="p">...</span><span class="nx">user</span><span class="p">.</span><span class="nx">settings</span><span class="p">,</span> <span class="c1">// Copies all settings (potentially 20+ fields)</span> <span class="na">timestamp</span><span class="p">:</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="p">}))</span> <span class="p">}</span> <span class="c1">// ✅ Memory efficient</span> <span class="kd">const</span> <span class="nx">createOptimizedPayloads</span> <span class="o">=</span> <span class="p">(</span><span class="nx">users</span><span class="p">:</span> <span class="nx">User</span><span class="p">[])</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">users</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">user</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="na">avatar</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">profile</span><span class="p">?.</span><span class="nx">avatar</span><span class="p">,</span> <span class="na">theme</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">settings</span><span class="p">?.</span><span class="nx">theme</span><span class="p">,</span> <span class="na">timestamp</span><span class="p">:</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="p">}))</span> <span class="p">}</span> </code></pre> </div> <h2> Testing Defensive Patterns </h2> <h3> 1. Property-Based Testing </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">fc</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">fast-check</span><span class="dl">'</span> <span class="c1">// ✅ Test with random malicious inputs</span> <span class="nf">describe</span><span class="p">(</span><span class="dl">'</span><span class="s1">Payload sanitization</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">it</span><span class="p">(</span><span class="dl">'</span><span class="s1">should handle arbitrary malicious input</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">fc</span><span class="p">.</span><span class="nf">assert</span><span class="p">(</span> <span class="nx">fc</span><span class="p">.</span><span class="nf">property</span><span class="p">(</span> <span class="nx">fc</span><span class="p">.</span><span class="nf">record</span><span class="p">({</span> <span class="c1">// Valid fields</span> <span class="na">name</span><span class="p">:</span> <span class="nx">fc</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">email</span><span class="p">:</span> <span class="nx">fc</span><span class="p">.</span><span class="nf">emailAddress</span><span class="p">(),</span> <span class="c1">// Malicious fields</span> <span class="na">isAdmin</span><span class="p">:</span> <span class="nx">fc</span><span class="p">.</span><span class="nf">boolean</span><span class="p">(),</span> <span class="na">deleteAllUsers</span><span class="p">:</span> <span class="nx">fc</span><span class="p">.</span><span class="nf">boolean</span><span class="p">(),</span> <span class="na">__proto__</span><span class="p">:</span> <span class="nx">fc</span><span class="p">.</span><span class="nf">anything</span><span class="p">(),</span> <span class="na">constructor</span><span class="p">:</span> <span class="nx">fc</span><span class="p">.</span><span class="nf">anything</span><span class="p">()</span> <span class="p">}),</span> <span class="p">(</span><span class="nx">maliciousInput</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">sanitized</span> <span class="o">=</span> <span class="nf">buildSafePayload</span><span class="p">(</span><span class="nx">maliciousInput</span><span class="p">)</span> <span class="c1">// Should only contain allowed fields</span> <span class="nf">expect</span><span class="p">(</span><span class="nb">Object</span><span class="p">.</span><span class="nf">keys</span><span class="p">(</span><span class="nx">sanitized</span><span class="p">)).</span><span class="nf">toEqual</span><span class="p">([</span><span class="dl">'</span><span class="s1">name</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">email</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">operation</span><span class="dl">'</span><span class="p">])</span> <span class="c1">// Should not contain dangerous fields</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">sanitized</span><span class="p">).</span><span class="nx">not</span><span class="p">.</span><span class="nf">toHaveProperty</span><span class="p">(</span><span class="dl">'</span><span class="s1">isAdmin</span><span class="dl">'</span><span class="p">)</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">sanitized</span><span class="p">).</span><span class="nx">not</span><span class="p">.</span><span class="nf">toHaveProperty</span><span class="p">(</span><span class="dl">'</span><span class="s1">deleteAllUsers</span><span class="dl">'</span><span class="p">)</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">sanitized</span><span class="p">).</span><span class="nx">not</span><span class="p">.</span><span class="nf">toHaveProperty</span><span class="p">(</span><span class="dl">'</span><span class="s1">__proto__</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="p">)</span> <span class="p">)</span> <span class="p">})</span> <span class="p">})</span> </code></pre> </div> <h3> 2. Security-Focused Unit Tests </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nf">describe</span><span class="p">(</span><span class="dl">'</span><span class="s1">Security tests</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">it</span><span class="p">(</span><span class="dl">'</span><span class="s1">should prevent prototype pollution</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">maliciousPayload</span> <span class="o">=</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">John</span><span class="dl">'</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="dl">'</span><span class="s1">john@example.com</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">__proto__</span><span class="dl">'</span><span class="p">:</span> <span class="p">{</span> <span class="na">isAdmin</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="dl">'</span><span class="s1">constructor</span><span class="dl">'</span><span class="p">:</span> <span class="p">{</span> <span class="na">prototype</span><span class="p">:</span> <span class="p">{</span> <span class="na">isAdmin</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">sanitized</span> <span class="o">=</span> <span class="nf">buildSafePayload</span><span class="p">(</span><span class="nx">maliciousPayload</span><span class="p">)</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">sanitized</span><span class="p">.</span><span class="nx">isAdmin</span><span class="p">).</span><span class="nf">toBeUndefined</span><span class="p">()</span> <span class="nf">expect</span><span class="p">(</span><span class="nb">Object</span><span class="p">.</span><span class="nx">prototype</span><span class="p">.</span><span class="nx">isAdmin</span><span class="p">).</span><span class="nf">toBeUndefined</span><span class="p">()</span> <span class="p">})</span> <span class="nf">it</span><span class="p">(</span><span class="dl">'</span><span class="s1">should handle deeply nested malicious objects</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">deepMalicious</span> <span class="o">=</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">John</span><span class="dl">'</span><span class="p">,</span> <span class="na">preferences</span><span class="p">:</span> <span class="p">{</span> <span class="na">theme</span><span class="p">:</span> <span class="dl">'</span><span class="s1">dark</span><span class="dl">'</span><span class="p">,</span> <span class="na">admin</span><span class="p">:</span> <span class="p">{</span> <span class="na">deleteUsers</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">accessLevel</span><span class="p">:</span> <span class="dl">'</span><span class="s1">SUPER_ADMIN</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">sanitized</span> <span class="o">=</span> <span class="nf">buildSafePayload</span><span class="p">(</span><span class="nx">deepMalicious</span><span class="p">)</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">sanitized</span><span class="p">.</span><span class="nx">preferences</span><span class="p">?.</span><span class="nx">admin</span><span class="p">).</span><span class="nf">toBeUndefined</span><span class="p">()</span> <span class="p">})</span> <span class="p">})</span> </code></pre> </div> <h2> Conclusion </h2> <p>The spread operator is a powerful tool, but with great power comes great responsibility. When building request payloads for APIs—especially those with strict schemas like GraphQL—defensive programming practices are essential:</p> <h3> Key Takeaways: </h3> <ol> <li> <strong>Explicit is Better Than Implicit</strong>: Use <code>pick()</code> or explicit field selection instead of spreading entire objects</li> <li> <strong>TypeScript Isn't Enough</strong>: Runtime validation is crucial for security</li> <li> <strong>Validate at Multiple Layers</strong>: Input validation, schema validation, and business logic validation</li> <li> <strong>Test with Malicious Input</strong>: Use property-based testing to catch edge cases</li> <li> <strong>Follow Zero Trust</strong>: Never trust input data, always validate and sanitize</li> </ol> <h3> The Golden Rule: </h3> <blockquote> <p><strong>When in doubt, be explicit.</strong> It's better to write a few extra lines of code than to debug a production incident caused by unexpected fields in your API requests.</p> </blockquote> <p>By following these defensive programming practices, you can build more robust, secure, and maintainable applications that gracefully handle the unexpected—because in software development, the unexpected is the only thing you can truly expect.</p> <p><em>Remember: Security is not a feature you add later—it's a mindset you adopt from the beginning.</em> </p> webdev programming javascript graphql Marco Cheung Wed, 20 Aug 2025 16:26:05 +0000 https://dev.to/marco_cheung_/client-side-graphql-variable-sanitization-preventing-runtime-errors-before-they-happen-kjn https://dev.to/marco_cheung_/client-side-graphql-variable-sanitization-preventing-runtime-errors-before-they-happen-kjn <h2> The Problem: When Valid Code Breaks Production </h2> <p>Picture this scenario: You're working on an e-commerce application, and your frontend is sending a GraphQL mutation to create a product order. Everything works perfectly in development, but suddenly production starts throwing errors:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GraphQL Error: Field "debugTimestamp" is not defined by type "OrderInput" GraphQL Error: Field "internalFlags" is not defined by type "CustomerInput" </code></pre> </div> <p>These errors occur because your client code is sending extra fields that don't exist in your GraphQL schema. Maybe they were added during debugging, came from feature flags, or were leftover from a previous API version. Regardless of the cause, these invalid fields are breaking your production GraphQL calls.</p> <h2> The Solution: Client-Side Variable Sanitization </h2> <p>Rather than playing whack-a-mole with invalid fields, we can implement a robust client-side sanitization system that automatically removes unknown fields before sending GraphQL requests. This approach provides several key benefits:</p> <h3> 🛡️ <strong>Reliability Benefits</strong> </h3> <ul> <li> <strong>Prevents Runtime Errors</strong>: Invalid fields are caught before reaching the server</li> <li> <strong>Backward Compatibility</strong>: Gracefully handles API version mismatches</li> <li> <strong>Debug-Safe Production</strong>: Debug fields are automatically stripped in production</li> </ul> <h3> 🔧 <strong>Developer Experience Benefits</strong> </h3> <ul> <li> <strong>Automatic Cleanup</strong>: No manual field management required</li> <li> <strong>Type Safety</strong>: Works seamlessly with TypeScript</li> <li> <strong>Zero Configuration</strong>: Set it up once, works everywhere</li> </ul> <h2> Implementation Strategy </h2> <h3> Step 1: Generate Schema Metadata with GraphQL Codegen </h3> <p>First, we use GraphQL Code Generator to create a runtime-accessible schema map. This gives us a lightweight, performant way to validate fields at runtime.</p> <p><strong>codegen.yml:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">schema</span><span class="pi">:</span> <span class="s1">'</span><span class="s">https://api.example.com/graphql'</span> <span class="na">generates</span><span class="pi">:</span> <span class="c1"># Generate TypeScript types</span> <span class="na">src/types/graphql-types.ts</span><span class="pi">:</span> <span class="na">plugins</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">typescript</span> <span class="pi">-</span> <span class="s">typescript-operations</span> <span class="na">config</span><span class="pi">:</span> <span class="na">enumsAsTypes</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">skipTypename</span><span class="pi">:</span> <span class="kc">true</span> <span class="c1"># Generate schema introspection for runtime validation</span> <span class="na">src/utils/schema-metadata.json</span><span class="pi">:</span> <span class="na">plugins</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">introspection</span> <span class="na">config</span><span class="pi">:</span> <span class="na">minify</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <p><strong>generateSchemaMap.ts:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">fs</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">fs</span><span class="dl">'</span> <span class="k">import</span> <span class="nx">path</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">path</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">IntrospectionSchema</span><span class="p">,</span> <span class="nx">IntrospectionInputObjectType</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">graphql</span><span class="dl">'</span> <span class="kr">interface</span> <span class="nx">SchemaMap</span> <span class="p">{</span> <span class="p">[</span><span class="nx">inputType</span><span class="p">:</span> <span class="kr">string</span><span class="p">]:</span> <span class="p">{</span> <span class="p">[</span><span class="nx">fieldName</span><span class="p">:</span> <span class="kr">string</span><span class="p">]:</span> <span class="kr">string</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">generateSchemaMap</span><span class="p">(</span><span class="nx">introspectionData</span><span class="p">:</span> <span class="nx">IntrospectionSchema</span><span class="p">):</span> <span class="nx">SchemaMap</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">schemaMap</span><span class="p">:</span> <span class="nx">SchemaMap</span> <span class="o">=</span> <span class="p">{}</span> <span class="nx">introspectionData</span><span class="p">.</span><span class="nx">types</span> <span class="p">.</span><span class="nf">filter</span><span class="p">((</span><span class="kd">type</span><span class="p">):</span> <span class="kd">type</span> <span class="k">is</span> <span class="nx">IntrospectionInputObjectType</span> <span class="o">=&gt;</span> <span class="kd">type</span><span class="p">.</span><span class="nx">kind</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">INPUT_OBJECT</span><span class="dl">'</span> <span class="p">)</span> <span class="p">.</span><span class="nf">forEach</span><span class="p">((</span><span class="nx">inputType</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">schemaMap</span><span class="p">[</span><span class="nx">inputType</span><span class="p">.</span><span class="nx">name</span><span class="p">]</span> <span class="o">=</span> <span class="p">{}</span> <span class="nx">inputType</span><span class="p">.</span><span class="nx">inputFields</span><span class="p">.</span><span class="nf">forEach</span><span class="p">((</span><span class="nx">field</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">schemaMap</span><span class="p">[</span><span class="nx">inputType</span><span class="p">.</span><span class="nx">name</span><span class="p">][</span><span class="nx">field</span><span class="p">.</span><span class="nx">name</span><span class="p">]</span> <span class="o">=</span> <span class="nx">field</span><span class="p">.</span><span class="kd">type</span><span class="p">.</span><span class="nf">toString</span><span class="p">()</span> <span class="p">})</span> <span class="p">})</span> <span class="k">return</span> <span class="nx">schemaMap</span> <span class="p">}</span> <span class="c1">// Generate the runtime schema map</span> <span class="kd">const</span> <span class="nx">introspectionPath</span> <span class="o">=</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">'</span><span class="s1">schema-metadata.json</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">introspectionData</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="nx">introspectionPath</span><span class="p">,</span> <span class="dl">'</span><span class="s1">utf-8</span><span class="dl">'</span><span class="p">))</span> <span class="kd">const</span> <span class="nx">schemaMap</span> <span class="o">=</span> <span class="nf">generateSchemaMap</span><span class="p">(</span><span class="nx">introspectionData</span><span class="p">.</span><span class="nx">data</span><span class="p">)</span> <span class="c1">// Export as a TypeScript module</span> <span class="kd">const</span> <span class="nx">outputContent</span> <span class="o">=</span> <span class="s2">`// Auto-generated schema map for runtime validation // Generated on: </span><span class="p">${</span><span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">()}</span><span class="s2"> // DO NOT EDIT MANUALLY export const schemaMap: Record&lt;string, Record&lt;string, string&gt;&gt; = </span><span class="p">${</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">schemaMap</span><span class="p">,</span> <span class="kc">null</span><span class="p">,</span> <span class="mi">2</span><span class="p">)}</span><span class="s2"> `</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">writeFileSync</span><span class="p">(</span><span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">'</span><span class="s1">schemaMap.ts</span><span class="dl">'</span><span class="p">),</span> <span class="nx">outputContent</span><span class="p">)</span> </code></pre> </div> <p>This generates a lightweight schema map like:</p> <p><strong>schemaMap.ts:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">schemaMap</span><span class="p">:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="kr">string</span><span class="o">&gt;&gt;</span> <span class="o">=</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">OrderInput</span><span class="dl">"</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">productId</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">String!</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">quantity</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Int!</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">customerInfo</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">CustomerInput!</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">paymentInfo</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">PaymentInput</span><span class="dl">"</span> <span class="p">},</span> <span class="dl">"</span><span class="s2">CustomerInput</span><span class="dl">"</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">firstName</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">String!</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">lastName</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">String!</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">email</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">String!</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">phone</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">String</span><span class="dl">"</span> <span class="p">},</span> <span class="dl">"</span><span class="s2">PaymentInput</span><span class="dl">"</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">creditCardNumber</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">String!</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">expiryDate</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">String!</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">cvv</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">String!</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">billingAddress</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">AddressInput</span><span class="dl">"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Step 2: Implement the Sanitization Function </h3> <p>Now we create a sanitization function that recursively cleans GraphQL variables:</p> <p><strong>sanitizeGraphQLVariables.ts:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">schemaMap</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./schemaMap</span><span class="dl">'</span> <span class="kr">interface</span> <span class="nx">SanitizationOptions</span> <span class="p">{</span> <span class="nl">enableLogging</span><span class="p">?:</span> <span class="nx">boolean</span> <span class="nx">strictMode</span><span class="p">?:</span> <span class="nx">boolean</span> <span class="p">}</span> <span class="kr">interface</span> <span class="nx">SanitizationResult</span><span class="o">&lt;</span><span class="nx">T</span><span class="o">&gt;</span> <span class="p">{</span> <span class="na">sanitizedVariables</span><span class="p">:</span> <span class="nx">T</span> <span class="na">removedFields</span><span class="p">:</span> <span class="kr">string</span><span class="p">[]</span> <span class="na">warnings</span><span class="p">:</span> <span class="kr">string</span><span class="p">[]</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">sanitizeGraphQLVariables</span><span class="o">&lt;</span><span class="nx">T</span> <span class="kd">extends</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="kr">any</span><span class="o">&gt;&gt;</span><span class="p">(</span> <span class="nx">variables</span><span class="p">:</span> <span class="nx">T</span><span class="p">,</span> <span class="nx">operation</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">options</span><span class="p">:</span> <span class="nx">SanitizationOptions</span> <span class="o">=</span> <span class="p">{}</span> <span class="p">):</span> <span class="nx">SanitizationResult</span><span class="o">&lt;</span><span class="nx">T</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">enableLogging</span> <span class="o">=</span> <span class="kc">false</span><span class="p">,</span> <span class="nx">strictMode</span> <span class="o">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">options</span> <span class="kd">const</span> <span class="na">removedFields</span><span class="p">:</span> <span class="kr">string</span><span class="p">[]</span> <span class="o">=</span> <span class="p">[]</span> <span class="kd">const</span> <span class="na">warnings</span><span class="p">:</span> <span class="kr">string</span><span class="p">[]</span> <span class="o">=</span> <span class="p">[]</span> <span class="kd">function</span> <span class="nf">sanitizeObject</span><span class="p">(</span> <span class="na">obj</span><span class="p">:</span> <span class="kr">any</span><span class="p">,</span> <span class="na">schemaTypeName</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="na">path</span><span class="p">:</span> <span class="kr">string</span> <span class="o">=</span> <span class="dl">''</span> <span class="p">):</span> <span class="kr">any</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">obj</span> <span class="o">||</span> <span class="k">typeof</span> <span class="nx">obj</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">object</span><span class="dl">'</span> <span class="o">||</span> <span class="nb">Array</span><span class="p">.</span><span class="nf">isArray</span><span class="p">(</span><span class="nx">obj</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">obj</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">schema</span> <span class="o">=</span> <span class="nx">schemaMap</span><span class="p">[</span><span class="nx">schemaTypeName</span><span class="p">]</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">schema</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">strictMode</span><span class="p">)</span> <span class="p">{</span> <span class="nx">warnings</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="s2">`Unknown schema type: </span><span class="p">${</span><span class="nx">schemaTypeName</span><span class="p">}</span><span class="s2">`</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">obj</span> <span class="p">}</span> <span class="kd">const</span> <span class="na">sanitized</span><span class="p">:</span> <span class="kr">any</span> <span class="o">=</span> <span class="p">{}</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">keys</span><span class="p">(</span><span class="nx">obj</span><span class="p">).</span><span class="nf">forEach</span><span class="p">((</span><span class="nx">key</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">fieldPath</span> <span class="o">=</span> <span class="nx">path</span> <span class="p">?</span> <span class="s2">`</span><span class="p">${</span><span class="nx">path</span><span class="p">}</span><span class="s2">.</span><span class="p">${</span><span class="nx">key</span><span class="p">}</span><span class="s2">`</span> <span class="p">:</span> <span class="nx">key</span> <span class="k">if </span><span class="p">(</span><span class="nx">schema</span><span class="p">[</span><span class="nx">key</span><span class="p">])</span> <span class="p">{</span> <span class="c1">// Field exists in schema, process it</span> <span class="kd">const</span> <span class="nx">fieldType</span> <span class="o">=</span> <span class="nx">schema</span><span class="p">[</span><span class="nx">key</span><span class="p">]</span> <span class="kd">const</span> <span class="nx">value</span> <span class="o">=</span> <span class="nx">obj</span><span class="p">[</span><span class="nx">key</span><span class="p">]</span> <span class="k">if </span><span class="p">(</span><span class="nx">value</span> <span class="o">!==</span> <span class="kc">null</span> <span class="o">&amp;&amp;</span> <span class="nx">value</span> <span class="o">!==</span> <span class="kc">undefined</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Handle nested objects</span> <span class="kd">const</span> <span class="nx">nestedTypeName</span> <span class="o">=</span> <span class="nf">extractTypeName</span><span class="p">(</span><span class="nx">fieldType</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="nx">schemaMap</span><span class="p">[</span><span class="nx">nestedTypeName</span><span class="p">])</span> <span class="p">{</span> <span class="nx">sanitized</span><span class="p">[</span><span class="nx">key</span><span class="p">]</span> <span class="o">=</span> <span class="nf">sanitizeObject</span><span class="p">(</span><span class="nx">value</span><span class="p">,</span> <span class="nx">nestedTypeName</span><span class="p">,</span> <span class="nx">fieldPath</span><span class="p">)</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">sanitized</span><span class="p">[</span><span class="nx">key</span><span class="p">]</span> <span class="o">=</span> <span class="nx">value</span> <span class="p">}</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">sanitized</span><span class="p">[</span><span class="nx">key</span><span class="p">]</span> <span class="o">=</span> <span class="nx">value</span> <span class="p">}</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="c1">// Field doesn't exist in schema, remove it</span> <span class="nx">removedFields</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nx">fieldPath</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="nx">enableLogging</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">warn</span><span class="p">(</span><span class="s2">`Removed invalid field: </span><span class="p">${</span><span class="nx">fieldPath</span><span class="p">}</span><span class="s2"> from </span><span class="p">${</span><span class="nx">schemaTypeName</span><span class="p">}</span><span class="s2">`</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">})</span> <span class="k">return</span> <span class="nx">sanitized</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">extractTypeName</span><span class="p">(</span><span class="na">fieldType</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="c1">// Remove GraphQL type modifiers (!, [])</span> <span class="k">return</span> <span class="nx">fieldType</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/</span><span class="se">[</span><span class="sr">!</span><span class="se">\[\]]</span><span class="sr">/g</span><span class="p">,</span> <span class="dl">''</span><span class="p">)</span> <span class="p">}</span> <span class="c1">// Determine root input type from operation</span> <span class="kd">const</span> <span class="nx">rootTypeName</span> <span class="o">=</span> <span class="nf">inferRootTypeName</span><span class="p">(</span><span class="nx">operation</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">sanitizedVariables</span> <span class="o">=</span> <span class="nf">sanitizeObject</span><span class="p">(</span><span class="nx">variables</span><span class="p">,</span> <span class="nx">rootTypeName</span><span class="p">)</span> <span class="k">as</span> <span class="nx">T</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">sanitizedVariables</span><span class="p">,</span> <span class="nx">removedFields</span><span class="p">,</span> <span class="nx">warnings</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">inferRootTypeName</span><span class="p">(</span><span class="nx">operation</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="c1">// Simple heuristic to determine input type from operation name</span> <span class="k">if </span><span class="p">(</span><span class="nx">operation</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">createOrder</span><span class="dl">'</span><span class="p">))</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">OrderInput</span><span class="dl">'</span> <span class="k">if </span><span class="p">(</span><span class="nx">operation</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">updateCustomer</span><span class="dl">'</span><span class="p">))</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">CustomerInput</span><span class="dl">'</span> <span class="k">if </span><span class="p">(</span><span class="nx">operation</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">processPayment</span><span class="dl">'</span><span class="p">))</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">PaymentInput</span><span class="dl">'</span> <span class="c1">// Default fallback</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">GenericInput</span><span class="dl">'</span> <span class="p">}</span> </code></pre> </div> <h3> Step 3: Integrate with GraphQL Client </h3> <p>Finally, we integrate the sanitization into our GraphQL client:</p> <p><strong>graphqlClient.ts:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">GraphQLClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">graphql-request</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">sanitizeGraphQLVariables</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./sanitizeGraphQLVariables</span><span class="dl">'</span> <span class="kr">interface</span> <span class="nx">GraphQLRequestOptions</span> <span class="p">{</span> <span class="nl">enableSanitization</span><span class="p">?:</span> <span class="nx">boolean</span> <span class="nx">sanitizationOptions</span><span class="p">?:</span> <span class="nx">SanitizationOptions</span> <span class="p">}</span> <span class="kd">class</span> <span class="nc">EnhancedGraphQLClient</span> <span class="p">{</span> <span class="k">private</span> <span class="nx">client</span><span class="p">:</span> <span class="nx">GraphQLClient</span> <span class="k">private</span> <span class="nx">enableSanitization</span><span class="p">:</span> <span class="nx">boolean</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">endpoint</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">enableSanitization</span><span class="p">:</span> <span class="nx">boolean</span> <span class="o">=</span> <span class="kc">true</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">client</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">GraphQLClient</span><span class="p">(</span><span class="nx">endpoint</span><span class="p">)</span> <span class="k">this</span><span class="p">.</span><span class="nx">enableSanitization</span> <span class="o">=</span> <span class="nx">enableSanitization</span> <span class="p">}</span> <span class="k">async</span> <span class="nx">request</span><span class="o">&lt;</span><span class="nx">T</span> <span class="o">=</span> <span class="kr">any</span><span class="o">&gt;</span><span class="p">(</span> <span class="nx">query</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">variables</span><span class="p">?:</span> <span class="kr">any</span><span class="p">,</span> <span class="nx">options</span><span class="p">:</span> <span class="nx">GraphQLRequestOptions</span> <span class="o">=</span> <span class="p">{}</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">T</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">finalVariables</span> <span class="o">=</span> <span class="nx">variables</span> <span class="k">if </span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">enableSanitization</span> <span class="o">&amp;&amp;</span> <span class="nx">variables</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">operationName</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nf">extractOperationName</span><span class="p">(</span><span class="nx">query</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="nf">sanitizeGraphQLVariables</span><span class="p">(</span> <span class="nx">variables</span><span class="p">,</span> <span class="nx">operationName</span><span class="p">,</span> <span class="nx">options</span><span class="p">.</span><span class="nx">sanitizationOptions</span> <span class="p">)</span> <span class="nx">finalVariables</span> <span class="o">=</span> <span class="nx">result</span><span class="p">.</span><span class="nx">sanitizedVariables</span> <span class="c1">// Log removed fields in development</span> <span class="k">if </span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">development</span><span class="dl">'</span> <span class="o">&amp;&amp;</span> <span class="nx">result</span><span class="p">.</span><span class="nx">removedFields</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">group</span><span class="p">(</span><span class="s2">`🧹 GraphQL Sanitization - </span><span class="p">${</span><span class="nx">operationName</span><span class="p">}</span><span class="s2">`</span><span class="p">)</span> <span class="nx">console</span><span class="p">.</span><span class="nf">warn</span><span class="p">(</span><span class="dl">'</span><span class="s1">Removed fields:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">result</span><span class="p">.</span><span class="nx">removedFields</span><span class="p">)</span> <span class="nx">console</span><span class="p">.</span><span class="nf">warn</span><span class="p">(</span><span class="dl">'</span><span class="s1">Original variables:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">variables</span><span class="p">)</span> <span class="nx">console</span><span class="p">.</span><span class="nf">warn</span><span class="p">(</span><span class="dl">'</span><span class="s1">Sanitized variables:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">finalVariables</span><span class="p">)</span> <span class="nx">console</span><span class="p">.</span><span class="nf">groupEnd</span><span class="p">()</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">client</span><span class="p">.</span><span class="nx">request</span><span class="o">&lt;</span><span class="nx">T</span><span class="o">&gt;</span><span class="p">(</span><span class="nx">query</span><span class="p">,</span> <span class="nx">finalVariables</span><span class="p">)</span> <span class="p">}</span> <span class="k">private</span> <span class="nf">extractOperationName</span><span class="p">(</span><span class="nx">query</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">match</span> <span class="o">=</span> <span class="nx">query</span><span class="p">.</span><span class="nf">match</span><span class="p">(</span><span class="sr">/</span><span class="se">(?:</span><span class="sr">mutation|query</span><span class="se">)\s</span><span class="sr">+</span><span class="se">(\w</span><span class="sr">+</span><span class="se">)</span><span class="sr">/</span><span class="p">)</span> <span class="k">return</span> <span class="nx">match</span> <span class="p">?</span> <span class="nx">match</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">UnknownOperation</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">graphqlClient</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">EnhancedGraphQLClient</span><span class="p">(</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GRAPHQL_ENDPOINT</span><span class="o">!</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">production</span><span class="dl">'</span> <span class="c1">// Enable in production</span> <span class="p">)</span> </code></pre> </div> <h2> Real-World Usage Examples </h2> <h3> Example 1: Product Order with Debug Data </h3> <p><strong>Before Sanitization:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">createOrderMutation</span> <span class="o">=</span> <span class="s2">` mutation createProductOrder($input: OrderInput!) { createOrder(input: $input) { id orderNumber status } } `</span> <span class="c1">// This payload contains invalid debug fields</span> <span class="kd">const</span> <span class="nx">variables</span> <span class="o">=</span> <span class="p">{</span> <span class="na">input</span><span class="p">:</span> <span class="p">{</span> <span class="na">productId</span><span class="p">:</span> <span class="dl">"</span><span class="s2">prod_123</span><span class="dl">"</span><span class="p">,</span> <span class="na">quantity</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">customerInfo</span><span class="p">:</span> <span class="p">{</span> <span class="na">firstName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">John</span><span class="dl">"</span><span class="p">,</span> <span class="na">lastName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Doe</span><span class="dl">"</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="dl">"</span><span class="s2">john@example.com</span><span class="dl">"</span><span class="p">,</span> <span class="na">phone</span><span class="p">:</span> <span class="dl">"</span><span class="s2">+1234567890</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// ❌ Invalid fields that would break the GraphQL call</span> <span class="na">debugUserId</span><span class="p">:</span> <span class="dl">"</span><span class="s2">debug_123</span><span class="dl">"</span><span class="p">,</span> <span class="na">internalFlags</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">testing</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">debug</span><span class="dl">"</span><span class="p">]</span> <span class="p">},</span> <span class="na">paymentInfo</span><span class="p">:</span> <span class="p">{</span> <span class="na">creditCardNumber</span><span class="p">:</span> <span class="dl">"</span><span class="s2">4111111111111111</span><span class="dl">"</span><span class="p">,</span> <span class="na">expiryDate</span><span class="p">:</span> <span class="dl">"</span><span class="s2">12/25</span><span class="dl">"</span><span class="p">,</span> <span class="na">cvv</span><span class="p">:</span> <span class="dl">"</span><span class="s2">123</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// ❌ Invalid field</span> <span class="na">debugTransactionId</span><span class="p">:</span> <span class="dl">"</span><span class="s2">debug_txn_456</span><span class="dl">"</span> <span class="p">},</span> <span class="c1">// ❌ Invalid field</span> <span class="na">requestTimestamp</span><span class="p">:</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// This would throw an error without sanitization</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">graphqlClient</span><span class="p">.</span><span class="nf">request</span><span class="p">(</span><span class="nx">createOrderMutation</span><span class="p">,</span> <span class="nx">variables</span><span class="p">)</span> </code></pre> </div> <p><strong>After Sanitization:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// The sanitizer automatically removes invalid fields:</span> <span class="c1">// ✅ Removed: input.customerInfo.debugUserId</span> <span class="c1">// ✅ Removed: input.customerInfo.internalFlags </span> <span class="c1">// ✅ Removed: input.paymentInfo.debugTransactionId</span> <span class="c1">// ✅ Removed: input.requestTimestamp</span> <span class="c1">// Final sanitized payload sent to server:</span> <span class="p">{</span> <span class="nl">input</span><span class="p">:</span> <span class="p">{</span> <span class="na">productId</span><span class="p">:</span> <span class="dl">"</span><span class="s2">prod_123</span><span class="dl">"</span><span class="p">,</span> <span class="na">quantity</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">customerInfo</span><span class="p">:</span> <span class="p">{</span> <span class="na">firstName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">John</span><span class="dl">"</span><span class="p">,</span> <span class="na">lastName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Doe</span><span class="dl">"</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="dl">"</span><span class="s2">john@example.com</span><span class="dl">"</span><span class="p">,</span> <span class="na">phone</span><span class="p">:</span> <span class="dl">"</span><span class="s2">+1234567890</span><span class="dl">"</span> <span class="p">},</span> <span class="na">paymentInfo</span><span class="p">:</span> <span class="p">{</span> <span class="na">creditCardNumber</span><span class="p">:</span> <span class="dl">"</span><span class="s2">4111111111111111</span><span class="dl">"</span><span class="p">,</span> <span class="na">expiryDate</span><span class="p">:</span> <span class="dl">"</span><span class="s2">12/25</span><span class="dl">"</span><span class="p">,</span> <span class="na">cvv</span><span class="p">:</span> <span class="dl">"</span><span class="s2">123</span><span class="dl">"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Example 2: Feature Flag Integration </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Feature-flagged fields are automatically handled</span> <span class="kd">const</span> <span class="nx">updateCustomerMutation</span> <span class="o">=</span> <span class="s2">` mutation updateCustomerProfile($input: CustomerInput!) { updateCustomer(input: $input) { id profile { firstName lastName email } } } `</span> <span class="kd">const</span> <span class="nx">variables</span> <span class="o">=</span> <span class="p">{</span> <span class="na">input</span><span class="p">:</span> <span class="p">{</span> <span class="na">firstName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Jane</span><span class="dl">"</span><span class="p">,</span> <span class="na">lastName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Smith</span><span class="dl">"</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="dl">"</span><span class="s2">jane@example.com</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// This field might exist in some API versions but not others</span> <span class="p">...(</span><span class="nx">featureFlags</span><span class="p">.</span><span class="nx">enableLoyaltyProgram</span> <span class="o">&amp;&amp;</span> <span class="p">{</span> <span class="na">loyaltyMemberId</span><span class="p">:</span> <span class="dl">"</span><span class="s2">loyalty_123</span><span class="dl">"</span> <span class="p">}),</span> <span class="c1">// Debug fields that should never reach production</span> <span class="p">...(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">development</span><span class="dl">'</span> <span class="o">&amp;&amp;</span> <span class="p">{</span> <span class="na">debugNotes</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Testing customer update</span><span class="dl">"</span><span class="p">,</span> <span class="na">developerInfo</span><span class="p">:</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="dl">"</span><span class="s2">dev_user_123</span><span class="dl">"</span> <span class="p">}</span> <span class="p">})</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Sanitization ensures only valid fields are sent</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">graphqlClient</span><span class="p">.</span><span class="nf">request</span><span class="p">(</span><span class="nx">updateCustomerMutation</span><span class="p">,</span> <span class="nx">variables</span><span class="p">)</span> </code></pre> </div> <h2> Feature Flags and Environment Support </h2> <p>You can easily integrate sanitization with feature flags:</p> <p><strong>featureFlaggedSanitization.ts:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kr">interface</span> <span class="nx">FeatureFlags</span> <span class="p">{</span> <span class="nl">enableGraphQLSanitization</span><span class="p">:</span> <span class="nx">boolean</span> <span class="nx">strictModeValidation</span><span class="p">:</span> <span class="nx">boolean</span> <span class="nx">enableSanitizationLogging</span><span class="p">:</span> <span class="nx">boolean</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">createSanitizationOptions</span><span class="p">(</span><span class="nx">featureFlags</span><span class="p">:</span> <span class="nx">FeatureFlags</span><span class="p">):</span> <span class="nx">SanitizationOptions</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">enableLogging</span><span class="p">:</span> <span class="nx">featureFlags</span><span class="p">.</span><span class="nx">enableSanitizationLogging</span> <span class="o">&amp;&amp;</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">development</span><span class="dl">'</span><span class="p">,</span> <span class="na">strictMode</span><span class="p">:</span> <span class="nx">featureFlags</span><span class="p">.</span><span class="nx">strictModeValidation</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Usage in GraphQL client</span> <span class="kd">const</span> <span class="nx">sanitizationEnabled</span> <span class="o">=</span> <span class="nx">featureFlags</span><span class="p">.</span><span class="nx">enableGraphQLSanitization</span> <span class="kd">const</span> <span class="nx">sanitizationOptions</span> <span class="o">=</span> <span class="nf">createSanitizationOptions</span><span class="p">(</span><span class="nx">featureFlags</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">graphqlClient</span><span class="p">.</span><span class="nf">request</span><span class="p">(</span> <span class="nx">query</span><span class="p">,</span> <span class="nx">variables</span><span class="p">,</span> <span class="p">{</span> <span class="na">enableSanitization</span><span class="p">:</span> <span class="nx">sanitizationEnabled</span><span class="p">,</span> <span class="nx">sanitizationOptions</span> <span class="p">}</span> <span class="p">)</span> </code></pre> </div> <h2> Testing Strategy </h2> <h3> Unit Tests for Sanitization </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nf">describe</span><span class="p">(</span><span class="dl">'</span><span class="s1">GraphQL Variable Sanitization</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">it</span><span class="p">(</span><span class="dl">'</span><span class="s1">should remove invalid fields from nested objects</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">input</span> <span class="o">=</span> <span class="p">{</span> <span class="na">validField</span><span class="p">:</span> <span class="dl">'</span><span class="s1">keep me</span><span class="dl">'</span><span class="p">,</span> <span class="na">invalidField</span><span class="p">:</span> <span class="dl">'</span><span class="s1">remove me</span><span class="dl">'</span><span class="p">,</span> <span class="na">nestedObject</span><span class="p">:</span> <span class="p">{</span> <span class="na">validNested</span><span class="p">:</span> <span class="dl">'</span><span class="s1">keep me too</span><span class="dl">'</span><span class="p">,</span> <span class="na">invalidNested</span><span class="p">:</span> <span class="dl">'</span><span class="s1">remove me too</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="nf">sanitizeGraphQLVariables</span><span class="p">(</span><span class="nx">input</span><span class="p">,</span> <span class="dl">'</span><span class="s1">TestInput</span><span class="dl">'</span><span class="p">)</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">sanitizedVariables</span><span class="p">).</span><span class="nf">toEqual</span><span class="p">({</span> <span class="na">validField</span><span class="p">:</span> <span class="dl">'</span><span class="s1">keep me</span><span class="dl">'</span><span class="p">,</span> <span class="na">nestedObject</span><span class="p">:</span> <span class="p">{</span> <span class="na">validNested</span><span class="p">:</span> <span class="dl">'</span><span class="s1">keep me too</span><span class="dl">'</span> <span class="p">}</span> <span class="p">})</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">removedFields</span><span class="p">).</span><span class="nf">toEqual</span><span class="p">([</span> <span class="dl">'</span><span class="s1">invalidField</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">nestedObject.invalidNested</span><span class="dl">'</span> <span class="p">])</span> <span class="p">})</span> <span class="nf">it</span><span class="p">(</span><span class="dl">'</span><span class="s1">should handle arrays and null values correctly</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">input</span> <span class="o">=</span> <span class="p">{</span> <span class="na">validArray</span><span class="p">:</span> <span class="p">[{</span> <span class="na">validField</span><span class="p">:</span> <span class="dl">'</span><span class="s1">test</span><span class="dl">'</span> <span class="p">}],</span> <span class="na">nullValue</span><span class="p">:</span> <span class="kc">null</span><span class="p">,</span> <span class="na">undefinedValue</span><span class="p">:</span> <span class="kc">undefined</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="nf">sanitizeGraphQLVariables</span><span class="p">(</span><span class="nx">input</span><span class="p">,</span> <span class="dl">'</span><span class="s1">TestInput</span><span class="dl">'</span><span class="p">)</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">sanitizedVariables</span><span class="p">.</span><span class="nx">nullValue</span><span class="p">).</span><span class="nf">toBeNull</span><span class="p">()</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">sanitizedVariables</span><span class="p">.</span><span class="nx">undefinedValue</span><span class="p">).</span><span class="nf">toBeUndefined</span><span class="p">()</span> <span class="p">})</span> <span class="p">})</span> </code></pre> </div> <h3> Integration Tests </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nf">describe</span><span class="p">(</span><span class="dl">'</span><span class="s1">GraphQL Client Integration</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">it</span><span class="p">(</span><span class="dl">'</span><span class="s1">should successfully create order after sanitization</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">dirtyVariables</span> <span class="o">=</span> <span class="p">{</span> <span class="c1">// Include both valid and invalid fields</span> <span class="na">input</span><span class="p">:</span> <span class="p">{</span> <span class="p">...</span><span class="nx">validOrderData</span><span class="p">,</span> <span class="p">...</span><span class="nx">invalidDebugFields</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Should not throw an error despite invalid fields</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">graphqlClient</span><span class="p">.</span><span class="nf">request</span><span class="p">(</span> <span class="nx">CREATE_ORDER_MUTATION</span><span class="p">,</span> <span class="nx">dirtyVariables</span> <span class="p">)</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">createOrder</span><span class="p">.</span><span class="nx">id</span><span class="p">).</span><span class="nf">toBeDefined</span><span class="p">()</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">createOrder</span><span class="p">.</span><span class="nx">orderNumber</span><span class="p">).</span><span class="nf">toBeDefined</span><span class="p">()</span> <span class="p">})</span> <span class="p">})</span> </code></pre> </div> <h2> Conclusion </h2> <p>Client-side GraphQL variable sanitization is a powerful technique that provides multiple benefits:</p> <ol> <li> <strong>Prevents Runtime Errors</strong>: Eliminates GraphQL errors caused by invalid fields</li> <li> <strong>Enhances Developer Experience</strong>: Automatic cleanup without manual intervention</li> <li> <strong>Increases Reliability</strong>: Makes your application more resilient to API changes</li> </ol> <p>By leveraging GraphQL Code Generator to create runtime schema maps and implementing a lightweight sanitization layer, you can build more robust and performant GraphQL applications.</p> <p>The key to success is implementing this as an automatic, zero-configuration system that works seamlessly with your existing GraphQL client. Once set up, it provides ongoing protection against field-related errors while optimizing your network requests.</p> <h2> Implementation Checklist </h2> <ul> <li>[ ] Set up GraphQL Code Generator with introspection plugin</li> <li>[ ] Generate runtime schema map from introspection data </li> <li>[ ] Implement sanitization function with proper TypeScript types</li> <li>[ ] Integrate with your GraphQL client</li> <li>[ ] Add feature flag support for different environments</li> <li>[ ] Write comprehensive unit and integration tests</li> <li>[ ] Monitor performance impact and error reduction</li> <li>[ ] Document the system for your team</li> </ul> <p>Start with a simple implementation and gradually add more sophisticated features like strict mode validation, detailed logging, and advanced type inference. Your future self (and your production error logs) will thank you! </p> webdev programming javascript graphql