Version 5 supported

Security & best practices

Strict HTTP method checking
Ensure requests are GET or POST
CSRF protection
Protect destructive actions from cross-site request forgery
Cross-Origin Resource Sharing (CORS)
Ensure that requests to your API come from a whitelist of origins
Authentication
Ensure your GraphQL api is only accessible to provisioned users
Recursive or complex queries
Protecting against potentially malicious queries

Strict HTTP method checking

According to GraphQL best practices, mutations should be done over POST, while queries have the option to use either GET or POST. By default, this module enforces the POST request method for all mutations.

To disable that requirement, you can remove the HTTPMethodMiddleware from the QueryHandler.

SilverStripe\GraphQL\QueryHandler\QueryHandlerInterface.default:
  class: SilverStripe\GraphQL\QueryHandler\QueryHandler
  properties:
    Middlewares:
      httpMethod: false

Further reading

Strict HTTP method checking
Ensure requests are GET or POST
CSRF protection
Protect destructive actions from cross-site request forgery
Cross-Origin Resource Sharing (CORS)
Ensure that requests to your API come from a whitelist of origins
Authentication
Ensure your GraphQL api is only accessible to provisioned users
Recursive or complex queries
Protecting against potentially malicious queries
Edit on Github