The Apollo GraphQL server lacks the 'csrfPrevention' option. This option is 'false' by the default in v3 of the Apollo GraphQL v3, which can enable CSRF attacks.
Apply with the Grit CLI
grit apply graphql_v3_csrf_prevention
GraphQL Sever v3 csrf prevention
BEFORE
// BAD 1: Lacks 'csrfPrevention: true'
const apollo_server_1 = new ApolloServer({
typeDefs,
resolvers
});
// BAD 2: Has 'csrfPrevention: false'
const apollo_server_2 = new ApolloServer({
typeDefs,
resolvers,
csrfPrevention: false,
});
// Good: Has 'csrfPrevention: true'
const apollo_server_3 = new ApolloServer({
typeDefs,
resolvers,
csrfPrevention: true,
});AFTER
// BAD 1: Lacks 'csrfPrevention: true'
const apollo_server_1 = new ApolloServer({
typeDefs,
resolvers,
csrfPrevention: true
});
// BAD 2: Has 'csrfPrevention: false'
const apollo_server_2 = new ApolloServer({
typeDefs,
resolvers,
csrfPrevention: true,
});
// Good: Has 'csrfPrevention: true'
const apollo_server_3 = new ApolloServer({
typeDefs,
resolvers,
csrfPrevention: true,
});