Skip to content
Critiq Docs

Search docs

Search documentation pages and rules

security.misconfiguration

Pair GraphQL multipart uploads with CSRF-safe server posture

Legacy GraphQL multipart upload helpers should not run alongside Apollo Server configurations that disable CSRF protections.

#Metadata

Rule ID
ts.security.graphql-upload-without-csrf-guard
Severity
high
Confidence
0.8
Languages
javascript, typescript
Presets
recommended, security, strict
Stability
experimental
Applies to
block
Tags
graphql, rules-catalog, security

#Why it matters

Multipart GraphQL requests complicate browser CSRF defenses; when Apollo CSRF prevention is explicitly disabled, upload middleware is a high-risk combination for cross-site writes.

#Remediation

Keep Apollo csrfPrevention enabled (default in supported releases), add an explicit preflight header policy, or move uploads behind authenticated, non-browser APIs.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.graphql-upload-without-csrf-guard.rule.yaml.

Back to directoryOpen rule in repository