HTTP handler should not allow mutations on GET requests

[edsrzf]

The HTTP handler should not allow mutations on HTTP GET requests. Or at least make it configurable. This is asking for a CSRF vulnerability.

Alternatively, don't allow running queries on GET requests at all. GitHub's GraphQL API, for example, does the standard introspection query when you send it a GET request.

[vektah]

Yeah, I have the same concerns.

The HTTP transport is really under-specified but I think GET is part of the spec - https://graphql.org/learn/serving-over-http/

The whole handler package probably needs a refactor, but yeah get should probably be configurable at least to disable it. Maybe even defaulted off.

From https://github.com/APIs-guru/graphql-over-http

GET requests can be used for executing ONLY queries. If the values of query and operationName indicates that a non-query operation is to be executed, the server should immediately respond with an error status code, and halt execution.

So yeah, we probably should block mutations / subscriptions