Content type

Description

The Content-Type header is not set to application/json. GraphQL APIs should always return a JSON response, according to the GraphQL specification.

Remediation

Ensure that the Content-Type header is set to application/json.

GraphQL Specific

Apollo

To address vulnerabilities within the Apollo framework engine, ensure that all dependencies are kept up-to-date with the latest security patches. Regularly review and follow the security guidelines provided by the Apollo documentation. Implement proper error handling to prevent information leakage and consider using security linters and tools to automatically detect potential security issues in your codebase.

Yoga

To address vulnerabilities within the Yoga framework engine, ensure that all user inputs are properly sanitized and validated. Implement strict type checking and input validation routines to prevent injection attacks. Regularly update the framework to the latest version to incorporate security patches and improvements. Additionally, consider using security middleware that can provide an extra layer of protection against common web vulnerabilities.

Awsappsync

To mitigate potential security risks in AWS AppSync, ensure that all GraphQL resolvers are properly configured to prevent injection attacks. Use VTL (Velocity Template Language) to sanitize and validate all input data. Implement fine-grained access control with AWS IAM and utilize AWS AppSync's built-in authorization mechanisms, such as API keys, IAM roles, or Cognito user pools, to control access to your GraphQL API. Regularly review and update your security policies to adhere to best practices.

Graphqlgo

To mitigate potential security risks in a GraphQL Go framework engine, it is recommended to validate and sanitize all user inputs to prevent injection attacks. Implement proper error handling to avoid exposing sensitive information in error messages. Regularly update dependencies to patch known vulnerabilities. Additionally, consider using query complexity analysis to prevent denial-of-service attacks caused by overly complex queries.

Graphqlruby

Ensure that the GraphQL Ruby framework engine is properly configured to validate and sanitize input to prevent injection attacks. Use GraphQL's built-in mechanisms to define and enforce the shape and content of queries and mutations. Avoid arbitrary code execution by using parameterized fields and resolvers, and never directly interpolate user input into query strings. Regularly update the GraphQL Ruby gem to incorporate security patches and improvements.

Hasura

To mitigate potential security risks in the Hasura framework engine, ensure that all GraphQL queries are validated against a strict schema and use prepared statements or parameterized queries to prevent SQL injection attacks. Regularly update the Hasura engine to the latest version to incorporate security patches and improvements. Additionally, implement role-based access control and use environment variables for sensitive information instead of hardcoding them into the application.

Configuration

Identifier: protocol/graphql_content_type

Examples

Ignore this check

checks:
  protocol/graphql_content_type:
    skip: true

Score

• Escape Severity: LOW

Compliance

• OWASP: API7:2023

• pci: 6.5.1

• gdpr: Article-5

• soc2: CC6

• psd2: Article-97

• iso27001: A.14.1

• nist: SP800-95

• fedramp: SC-7

Classification

• CWE: 16

Score

• CVSS_VECTOR: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
• CVSS_SCORE: 4.3

References

• https://spec.graphql.org/draft/#sec-Serialization-Format