Provide configuration to disable the GET HTTP method, and consider disabling it by default

[mcohen75]

Since a GraphQL query can contain mutations, allowing the GET HTTP method opens the door for CSRF attacks in certain configurations.

When GET is allowed for APIs that use HTTP Cookies, a malicious actor can trick another user into clicking a link containing a GraphQL query that mutates state. Of course it’s important to note that disallowing GET is not sufficient to prevent all CSRF attacks.

See the Get Scenario on OWASP's CSRF article for more details.

For an API to be susceptible to this type of attack:

1. CORS must be configured to allow credentials.
2. CORS must be configured to allow all origins.
3. Authentication must be accomplished via HTTP Cookies.

1 and 2 are very common for APIs. 3 is less common (and a bad idea) but still used.

Since GraphQL clients tend to prefer the POST method, disabling the GET method is possible with little (no?) fallout.

Are the project maintainers open to this change? If so I am willing to do the work.

[andimarek]

thanks a lot for your feedback. @mcohen75 If you could provide a PR, that would be perfect.

[andimarek]

This project is now archived in favor of the official Spring GraphQL integration.