Your web application's GraphQL implementation accepts non-JSON mutations over GET requests, increasing the risk of Cross-Site Request Forgery (CSRF) attacks. While JSON-based POST requests are generally considered resistant to CSRF, non-JSON GET requests are more susceptible to this type of attacks. GraphQL mutations are operations used to modify data on the server-side in a GraphQL API. While queries are used to request data from a GraphQL server, mutations are used to create, update, or delete data.

A successful CSRF attack could result in unauthorized actions being performed on behalf of authenticated users, potentially leading to data manipulation, unauthorized access, or unintended changes to the application state. This can compromise the integrity and security of your web application and may lead to unauthorized disclosure or loss of sensitive information.

Use POST for Mutations: Restrict GraphQL mutations to JSON-based POST requests to limit the CSRF attack surface.