This endpoint sits on the tarheel.us Cloudflare zone, which has API Shield enabled. A WAF Custom Rule is deployed in front of it that blocks GraphQL queries exceeding documented size or depth thresholds. This is the real product, not a simulation — malicious requests are filtered at the Cloudflare edge before they ever reach this Worker.
(http.host eq "graphql.tarheel.us"
and ends_with(http.request.uri.path, "/graphql")
and cf.api_gateway.graphql.parsed_successfully
and (cf.api_gateway.graphql.query_size > 30
or cf.api_gateway.graphql.query_depth > 7)) → Block
Thresholds match the recommended baseline in Cloudflare's API Shield docs (size > 30 leaf fields OR depth > 7 levels).
Benign — reaches the origin: 200 OK
curl -X POST https://graphql.tarheel.us/graphql \
-H 'Content-Type: application/json' \
-d '{"query":"{ user(id: \"42\") { id name } }"}'
Oversized — blocked at the edge: 403
curl -X POST https://graphql.tarheel.us/graphql \
-H 'Content-Type: application/json' \
-d '{"query":"{ user { f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 } }"}'
Deeply-nested — blocked at the edge: 403
curl -X POST https://graphql.tarheel.us/graphql \
-H 'Content-Type: application/json' \
-d '{"query":"{ a { b { c { d { e { f { g { h { i { j } } } } } } } } } }"}'
Run all 4 payloads end-to-end:
./scripts/graphql-attack.sh https://graphql.tarheel.us/graphql
Use scripts/graphql-shield-setup.sh in cf-demo-app — fill in your Zone ID and API token at the top, run it, and the script deploys the rule and runs the attacks for you.
If you don't have an Enterprise zone with API Shield to deploy a real rule, the same endpoint runs in simulation mode at cf-demo-app.dustinburke23nc.workers.dev/graphql — identical response shapes, no real WAF, no Cloudflare account required.