Keep Apollo Server CSRF protections enabled | Critiq Docs

#Metadata

Rule ID: ts.security.apollo-server-csrf-disabled
Severity: high
Confidence: 0.88
Languages: javascript, typescript
Presets: recommended, security, strict
Stability: experimental
Applies to: block
Tags: apollo, graphql, rules-catalog, security

#Why it matters

GraphQL POST endpoints are vulnerable to cross-site writes when CSRF defenses are turned off.

#Remediation

Remove `csrfPrevention: false` or replace it with an equivalent POST-only plus preflight strategy documented by Apollo.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.apollo-server-csrf-disabled.rule.yaml.

Back to directory Open rule in repository