Skip to content

Latest commit

 

History

History
578 lines (571 loc) · 15.9 KB

README.md

File metadata and controls

578 lines (571 loc) · 15.9 KB
Raw

Warning

Is not tested automatically by the CI anymore. See #121

* This report was auto-generated by graphql-http

GraphQL over HTTP audit report

  • 60 audits in total
  • 39 pass
  • 💡 18 notices (suggestions)
  • ⚠️ 3 warnings (optional)

Passing

  1. 22EB SHOULD accept application/graphql-response+json and match the content-type
  2. 4655 MUST accept application/json and match the content-type
  3. 47DE SHOULD accept */* and use application/json for the content-type
  4. 80D8 SHOULD assume application/json content-type when accept is missing
  5. 82A3 MUST use utf-8 encoding when responding
  6. BF61 MUST accept utf-8 encoded request
  7. 78D5 MUST assume utf-8 in request if encoding is unspecified
  8. 2C94 MUST accept POST requests
  9. 5A70 MAY accept application/x-www-form-urlencoded formatted GET requests
  10. 9C48 MAY NOT allow executing mutations on GET requests
  11. 9ABE MAY respond with 4xx status code if content-type is not supplied on POST requests
  12. 03D4 MUST accept application/json POST requests
  13. A5BF MAY use 400 status code when request body is missing on POST
  14. 423L MAY use 400 status code on missing {query} parameter
  15. 34A2 SHOULD allow string {query} parameter when accepting application/graphql-response+json
  16. 13EE MUST allow string {query} parameter when accepting application/json
  17. 8161 SHOULD allow string {operationName} parameter when accepting application/graphql-response+json
  18. B8B3 MUST allow string {operationName} parameter when accepting application/json
  19. 94B0 SHOULD allow null {variables} parameter when accepting application/graphql-response+json
  20. 0220 MUST allow null {variables} parameter when accepting application/json
  21. 94B1 SHOULD allow null {operationName} parameter when accepting application/graphql-response+json
  22. 0221 MUST allow null {operationName} parameter when accepting application/json
  23. 94B2 SHOULD allow null {extensions} parameter when accepting application/graphql-response+json
  24. 0222 MUST allow null {extensions} parameter when accepting application/json
  25. 2EA1 SHOULD allow map {variables} parameter when accepting application/graphql-response+json
  26. 28B9 MUST allow map {variables} parameter when accepting application/json
  27. D6D5 MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json
  28. 6A70 MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json
  29. 428F SHOULD allow map {extensions} parameter when accepting application/graphql-response+json
  30. 1B7A MUST allow map {extensions} parameter when accepting application/json
  31. B6DC MAY use 4xx or 5xx status codes on JSON parsing failure
  32. BCF8 MAY use 400 status code on JSON parsing failure
  33. 7B9B SHOULD use a status code of 200 on variable coercion failure when accepting application/json
  34. 865D SHOULD use 4xx or 5xx status codes on document parsing failure when accepting application/graphql-response+json
  35. 556A SHOULD use 400 status code on document parsing failure when accepting application/graphql-response+json
  36. D586 SHOULD not contain the data entry on document parsing failure when accepting application/graphql-response+json
  37. 51FE SHOULD use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json
  38. 74FF SHOULD use 400 status code on document validation failure when accepting application/graphql-response+json
  39. 5E5B SHOULD not contain the data entry on document validation failure when accepting application/graphql-response+json

Notices

The server MAY support these, but are truly optional. These are suggestions following recommended conventions.
  1. LKJ0 MAY use 400 status code on object {query} parameter
    Response status code is not 400 
    {
  "statusText": "OK",
  "status": 200,
  "headers": {
    "date": "",
    "content-type": "application/json; charset=utf-8",
    "content-length": "65",
    "connection": "keep-alive"
  },
  "body": {
    "errors": [
      {
        "path": [],
        "message": "Invalid GraphQL request form"
      }
    ]
  }
}
  2. LKJ1 MAY use 400 status code on number {query} parameter
    Response status code is not 400 
    {
  "statusText": "OK",
  "status": 200,
  "headers": {
    "date": "",
    "content-type": "application/json; charset=utf-8",
    "content-length": "65",
    "connection": "keep-alive"
  },
  "body": {
    "errors": [
      {
        "path": [],
        "message": "Invalid GraphQL request form"
      }
    ]
  }
}
  3. LKJ2 MAY use 400 status code on boolean {query} parameter
    Response status code is not 400 
    {
  "statusText": "OK",
  "status": 200,
  "headers": {
    "date": "",
    "content-type": "application/json; charset=utf-8",
    "content-length": "65",
    "connection": "keep-alive"
  },
  "body": {
    "errors": [
      {
        "path": [],
        "message": "Invalid GraphQL request form"
      }
    ]
  }
}
  4. LKJ3 MAY use 400 status code on array {query} parameter
    Response status code is not 400 
    {
  "statusText": "OK",
  "status": 200,
  "headers": {
    "date": "",
    "content-type": "application/json; charset=utf-8",
    "content-length": "65",
    "connection": "keep-alive"
  },
  "body": {
    "errors": [
      {
        "path": [],
        "message": "Invalid GraphQL request form"
      }
    ]
  }
}
  5. 6C00 MAY use 400 status code on object {operationName} parameter
    Response status code is not 400 
    {
  "statusText": "OK",
  "status": 200,
  "headers": {
    "date": "",
    "content-type": "application/json; charset=utf-8",
    "content-length": "65",
    "connection": "keep-alive"
  },
  "body": {
    "errors": [
      {
        "path": [],
        "message": "Invalid GraphQL request form"
      }
    ]
  }
}
  6. 6C01 MAY use 400 status code on number {operationName} parameter
    Response status code is not 400 
    {
  "statusText": "OK",
  "status": 200,
  "headers": {
    "date": "",
    "content-type": "application/json; charset=utf-8",
    "content-length": "65",
    "connection": "keep-alive"
  },
  "body": {
    "errors": [
      {
        "path": [],
        "message": "Invalid GraphQL request form"
      }
    ]
  }
}
  7. 6C02 MAY use 400 status code on boolean {operationName} parameter
    Response status code is not 400 
    {
  "statusText": "OK",
  "status": 200,
  "headers": {
    "date": "",
    "content-type": "application/json; charset=utf-8",
    "content-length": "65",
    "connection": "keep-alive"
  },
  "body": {
    "errors": [
      {
        "path": [],
        "message": "Invalid GraphQL request form"
      }
    ]
  }
}
  8. 6C03 MAY use 400 status code on array {operationName} parameter
    Response status code is not 400 
    {
  "statusText": "OK",
  "status": 200,
  "headers": {
    "date": "",
    "content-type": "application/json; charset=utf-8",
    "content-length": "65",
    "connection": "keep-alive"
  },
  "body": {
    "errors": [
      {
        "path": [],
        "message": "Invalid GraphQL request form"
      }
    ]
  }
}
  9. 4760 MAY use 400 status code on string {variables} parameter
    Response status code is not 400 
    {
  "statusText": "OK",
  "status": 200,
  "headers": {
    "date": "",
    "content-type": "application/json; charset=utf-8",
    "content-length": "65",
    "connection": "keep-alive"
  },
  "body": {
    "errors": [
      {
        "path": [],
        "message": "Invalid GraphQL request form"
      }
    ]
  }
}
  10. 4761 MAY use 400 status code on number {variables} parameter
    Response status code is not 400 
    {
  "statusText": "OK",
  "status": 200,
  "headers": {
    "date": "",
    "content-type": "application/json; charset=utf-8",
    "content-length": "65",
    "connection": "keep-alive"
  },
  "body": {
    "errors": [
      {
        "path": [],
        "message": "Invalid GraphQL request form"
      }
    ]
  }
}
  11. 4762 MAY use 400 status code on boolean {variables} parameter
    Response status code is not 400 
    {
  "statusText": "OK",
  "status": 200,
  "headers": {
    "date": "",
    "content-type": "application/json; charset=utf-8",
    "content-length": "65",
    "connection": "keep-alive"
  },
  "body": {
    "errors": [
      {
        "path": [],
        "message": "Invalid GraphQL request form"
      }
    ]
  }
}
  12. 4763 MAY use 400 status code on array {variables} parameter
    Response status code is not 400 
    {
  "statusText": "OK",
  "status": 200,
  "headers": {
    "date": "",
    "content-type": "application/json; charset=utf-8",
    "content-length": "65",
    "connection": "keep-alive"
  },
  "body": {
    "errors": [
      {
        "path": [],
        "message": "Invalid GraphQL request form"
      }
    ]
  }
}
  13. 58B0 MAY use 400 status code on string {extensions} parameter
    Response status code is not 400 
    {
  "statusText": "OK",
  "status": 200,
  "headers": {
    "date": "",
    "content-type": "application/json; charset=utf-8",
    "content-length": "65",
    "connection": "keep-alive"
  },
  "body": {
    "errors": [
      {
        "path": [],
        "message": "Invalid GraphQL request form"
      }
    ]
  }
}
  14. 58B1 MAY use 400 status code on number {extensions} parameter
    Response status code is not 400 
    {
  "statusText": "OK",
  "status": 200,
  "headers": {
    "date": "",
    "content-type": "application/json; charset=utf-8",
    "content-length": "65",
    "connection": "keep-alive"
  },
  "body": {
    "errors": [
      {
        "path": [],
        "message": "Invalid GraphQL request form"
      }
    ]
  }
}
  15. 58B2 MAY use 400 status code on boolean {extensions} parameter
    Response status code is not 400 
    {
  "statusText": "OK",
  "status": 200,
  "headers": {
    "date": "",
    "content-type": "application/json; charset=utf-8",
    "content-length": "65",
    "connection": "keep-alive"
  },
  "body": {
    "errors": [
      {
        "path": [],
        "message": "Invalid GraphQL request form"
      }
    ]
  }
}
  16. 58B3 MAY use 400 status code on array {extensions} parameter
    Response status code is not 400 
    {
  "statusText": "OK",
  "status": 200,
  "headers": {
    "date": "",
    "content-type": "application/json; charset=utf-8",
    "content-length": "65",
    "connection": "keep-alive"
  },
  "body": {
    "errors": [
      {
        "path": [],
        "message": "Invalid GraphQL request form"
      }
    ]
  }
}
  17. 8764 MAY use 4xx or 5xx status codes if parameters are invalid
    Response status is not between 400 and 599 
    {
  "statusText": "OK",
  "status": 200,
  "headers": {
    "date": "",
    "content-type": "application/json; charset=utf-8",
    "content-length": "60",
    "connection": "keep-alive"
  },
  "body": {
    "errors": [
      {
        "path": [],
        "message": "Missing query parameter"
      }
    ]
  }
}
  18. 3E3A MAY use 400 status code if parameters are invalid
    Response status code is not 400 
    {
  "statusText": "OK",
  "status": 200,
  "headers": {
    "date": "",
    "content-type": "application/json; charset=utf-8",
    "content-length": "60",
    "connection": "keep-alive"
  },
  "body": {
    "errors": [
      {
        "path": [],
        "message": "Missing query parameter"
      }
    ]
  }
}

Warnings

The server SHOULD support these, but is not required.
  1. 572B SHOULD use 200 status code on document parsing failure when accepting application/json
    Response status code is not 200 
    {
  "statusText": "Bad Request",
  "status": 400,
  "headers": {
    "date": "",
    "content-type": "application/json; charset=utf-8",
    "content-length": "95",
    "connection": "keep-alive"
  },
  "body": {
    "errors": [
      {
        "path": [],
        "message": "Operation of this type is not allowed and has been blocked"
      }
    ]
  }
}
  2. FDE2 SHOULD use 200 status code on document validation failure when accepting application/json
    Response status code is not 200 
    {
  "statusText": "Bad Request",
  "status": 400,
  "headers": {
    "date": "",
    "content-type": "application/json; charset=utf-8",
    "content-length": "95",
    "connection": "keep-alive"
  },
  "body": {
    "errors": [
      {
        "path": [],
        "message": "Operation of this type is not allowed and has been blocked"
      }
    ]
  }
}
  3. 86EE SHOULD use a status code of 400 on variable coercion failure when accepting application/graphql-response+json
    Response status code is not 400 
    {
  "statusText": "OK",
  "status": 200,
  "headers": {
    "date": "",
    "content-type": "application/graphql-response+json; charset=utf-8, application/graphql-response+json",
    "content-length": "136",
    "connection": "keep-alive"
  },
  "body": {
    "errors": [
      {
        "path": [],
        "message": "Variable \"$id\" is never used in operation \"CoerceFailure\".",
        "locations": [
          {
            "line": 1,
            "column": 21
          }
        ]
      }
    ]
  }
}