Version 5
supported
Security & best practices
- Authentication
- Ensure your GraphQL api is only accessible to provisioned users
- Cross-Origin Resource Sharing (CORS)
- Ensure that requests to your API come from a whitelist of origins
- Strict HTTP method checking
- Ensure requests are GET or POST
- CSRF protection
- Protect destructive actions from cross-site request forgery
- Recursive or complex queries
- Protecting against potentially malicious queries
Strict HTTP method checking
According to GraphQL best practices, mutations should be done over POST
, while queries have the option
to use either GET
or POST
. By default, this module enforces the POST
request method for all mutations.
To disable that requirement, you can remove the HTTPMethodMiddleware
from the QueryHandler
.
SilverStripe\GraphQL\QueryHandler\QueryHandlerInterface.default:
class: SilverStripe\GraphQL\QueryHandler\QueryHandler
properties:
Middlewares:
httpMethod: false