graphql-http vulnerable to CSRF attack

[fr4nco1s]

Hi,

graphql-http seems to be vulnerable to CSRF attack.

Is it planed to implement an anti-CSRF system, like tokens management on GraphQL endpoints ?

[enisdenjo]

Server-side of graphql-http is just a handler purely implementing the GraphQL over HTTP spec (see disclaimer in readme).

All other additions that go out of the GraphQL transport scope are to be implemented user-land - exactly why graphql-http is a handler, and not a server. Anti-CSRF systems, CORS, encrypted cookies and token management is not something the core of this library intends to tackle.