Explain GraphQL Query Complexity Controls.

GraphQL query complexity controls are techniques to limit how much work a single query can demand, using rules like cost analysis, depth limits, and timeouts to prevent server overload.

When to Use

• Public APIs where clients are untrusted
• Applications with deeply nested queries
• Multi-tenant systems to enforce fair resource usage
• Preventing DoS attacks and runaway database calls

Example

If a query requests user → posts → comments → likes, you can:

• Assign costs: user=1, posts=3, comments=5, likes=2
• Compute total = 1 + 3 + 5 + 2 = 11
• Reject queries over a set threshold (e.g., 1,000).

Want to practice API hardening and rate-limiting patterns? Explore Grokking System Design Fundamentals, Grokking the Coding Interview, or book Mock Interviews with ex-FAANG engineers.

Why Is It Important

• Protects latency and reliability
• Keeps performance predictable under load
• Stops abuse from overly complex or malicious queries

Interview Tips

• Explain AST traversal for cost analysis
• Mention placement: gateway vs. server middleware
• Bring up complementary techniques: persisted queries, allowlists, per-role query budgets

Trade-offs

• Predictable performance, fairness, safer APIs
• Extra overhead, tuning complexity, risk of blocking legitimate large queries

Pitfalls

• Only using depth limits (breadth can still explode)
• Forgetting aliases or fragments in cost calculation
• Not capping list sizes
• Applying the same limits to all user roles