Apollo GraphQL Server Lacks CSRF Prevention

Description

The Apollo GraphQL server lacks the 'csrfPrevention' option, which can enable CSRF attacks. By default, this option is 'false' in v3 of the Apollo GraphQL server.

Examples

Insecure Code

new ApolloServer({})

Secure Code

new ApolloServer({ csrfPrevention: true })

Remediation

Add 'csrfPrevention: true' to the ApolloServer options to prevent CSRF attacks.

Rule Details

Field	Value
ID	CODE-0654
Category	Web
Severity	HIGH
CWE	CWE-352
Confidence	HIGH
Impact	MEDIUM
Likelihood	MEDIUM
Exploitability	EASY
Tags	csrf, apollo-graphql
OWASP	N/A

References

https://www.apollographql.com/docs/apollo-server/v3/security/cors/#preventing-cross-site-request-forgery-csrf

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Apollo GraphQL Server Lacks CSRF Prevention

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

Apollo GraphQL Server Lacks CSRF Prevention ​

Description ​

Examples ​

Insecure Code ​

Secure Code ​

Remediation ​

Rule Details ​

References ​

Apollo GraphQL Server Lacks CSRF Prevention

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

References