diff --git a/core/configuration.md b/core/configuration.md
index 86a0c5ec6b4..0cca9817033 100644
--- a/core/configuration.md
+++ b/core/configuration.md
@@ -155,7 +155,13 @@ api_platform:
 
         # The nesting separator used in the filter names.
         nesting_separator: _
-
+        
+        # The maximum query depth. Set to 0 to disable it. Look at http://webonyx.github.io/graphql-php/security/#limiting-query-depth
+        max_query_depth: 20
+        
+        # The maximum query complexity. Set to 0 to disable it. Look at http://webonyx.github.io/graphql-php/security/#query-complexity-analysis
+        max_query_complexity: 500
+        
         collection:
             pagination:
                 enabled: true
diff --git a/core/graphql.md b/core/graphql.md
index b815599a0a6..2f11be7ef42 100644
--- a/core/graphql.md
+++ b/core/graphql.md
@@ -254,6 +254,38 @@ return [
 ];
 ```
 
+## Change Max Query Depth
+
+For security reason, the max query depth should be limited to avoid deep queries. It's set to 100 by default.
+
+### Symfony config to change the Max Query Depth
+
+If you need to change it, it can be done in the configuration:
+
+```yaml
+# api/config/packages/api_platform.yaml
+api_platform:
+  graphql:
+    max_query_depth: 7
+# ...
+```
+
+## Change Max Query Complexity
+
+For security reason, the max query complexity should be limited to avoid complex queries. It's set to 100 by default.
+
+### Symfony config to change the Max Query Complexity
+
+If you need to change it, it can be done in the configuration:
+
+```yaml
+# api/config/packages/api_platform.yaml
+api_platform:
+  graphql:
+    max_query_complexity: 50
+# ...
+```
+
 ## Request with `application/graphql` Content-Type
 
 If you wish to send a [POST request using the `application/graphql` Content-Type](https://graphql.org/learn/serving-over-http/#post-request),