-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTP handler should not allow mutations on GET requests #317
Comments
Yeah, I have the same concerns. The HTTP transport is really under-specified but I think GET is part of the spec - https://graphql.org/learn/serving-over-http/ The whole handler package probably needs a refactor, but yeah get should probably be configurable at least to disable it. Maybe even defaulted off. From https://github.com/APIs-guru/graphql-over-http
So yeah, we probably should block mutations / subscriptions |
This mitigates the risk of CSRF attacks. Closes 99designs#317.
This mitigates the risk of CSRF attacks. Closes 99designs#317.
The HTTP handler should not allow mutations on HTTP GET requests. Or at least make it configurable. This is asking for a CSRF vulnerability.
Alternatively, don't allow running queries on GET requests at all. GitHub's GraphQL API, for example, does the standard introspection query when you send it a GET request.
The text was updated successfully, but these errors were encountered: