Content type¶

Description¶

The Content-Type header is not set to application/json. GraphQL APIs should always return a JSON response, according to the GraphQL specification.

Remediation¶

Ensure that the Content-Type header is set to application/json.

GraphQL Specific¶

Apollo

To address vulnerabilities within the Apollo framework engine, ensure that all dependencies are kept up-to-date with the latest security patches. Regularly review and follow the security guidelines provided by the Apollo documentation. Implement proper error handling to prevent information leakage and consider using security linters and tools to automatically detect potential security issues in your codebase.

Yoga

To address vulnerabilities within the Yoga framework engine, ensure that all user inputs are properly sanitized and validated. Implement strict type checking and input validation routines to prevent injection attacks. Regularly update the framework to the latest version to incorporate security patches and improvements. Additionally, consider using security middleware that can provide an extra layer of protection against common web vulnerabilities.

Awsappsync

To mitigate potential security risks in AWS AppSync, ensure that all GraphQL resolvers are properly configured to prevent injection attacks. Use VTL (Velocity Template Language) to sanitize and validate all input data. Implement fine-grained access control with AWS IAM and utilize AWS AppSync's built-in authorization mechanisms, such as API keys, IAM roles, or Cognito user pools, to control access to your GraphQL API. Regularly review and update your security policies to adhere to best practices.

Graphqlgo

To mitigate potential security risks in a GraphQL Go framework engine, it is recommended to validate and sanitize all user inputs to prevent injection attacks. Implement proper error handling to avoid exposing sensitive information in error messages. Regularly update dependencies to patch known vulnerabilities. Additionally, consider using query complexity analysis to prevent denial-of-service attacks caused by overly complex queries.

Graphqlruby

Ensure that the GraphQL Ruby framework engine is properly configured to validate and sanitize input to prevent injection attacks. Use GraphQL's built-in mechanisms to define and enforce the shape and content of queries and mutations. Avoid arbitrary code execution by using parameterized fields and resolvers, and never directly interpolate user input into query strings. Regularly update the GraphQL Ruby gem to incorporate security patches and improvements.

Hasura

To mitigate potential security risks in the Hasura framework engine, ensure that all GraphQL queries are validated against a strict schema and use prepared statements or parameterized queries to prevent SQL injection attacks. Regularly update the Hasura engine to the latest version to incorporate security patches and improvements. Additionally, implement role-based access control and use environment variables for sensitive information instead of hardcoding them into the application.

Agoo

Ensure the Content-Type header is set to 'application/json' in the Agoo framework to comply with GraphQL specifications.

Ariadne

Ensure the Content-Type header is set to application/json in your Ariadne GraphQL API responses to comply with the GraphQL specification.

Caliban

Ensure the Content-Type header is set to 'application/json' in your Caliban framework responses to comply with the GraphQL specification.

Dgraph

Ensure the Content-Type header is set to 'application/json' for all GraphQL API responses in the Dgraph framework to comply with the GraphQL specification.

Dianajl

Ensure the Content-Type header is set to application/json for all GraphQL API responses in the DianaJL framework engine.

Directus

Ensure the Content-Type header is set to application/json for all GraphQL API responses in the Directus framework to comply with the GraphQL specification.

Flutter

Ensure the Content-Type header is set to application/json in your Flutter application when making GraphQL API requests to comply with the GraphQL specification.

Graphene

Ensure that the Content-Type header is set to 'application/json' in your Graphene framework responses to comply with the GraphQL specification.

Graphqlapiforwp

Ensure the Content-Type header is set to 'application/json' for all GraphQL API responses in the GraphQL API for WordPress framework to comply with the GraphQL specification.

Graphqlgophergo

Ensure the Content-Type header is set to 'application/json' in the GraphQLGopherGo framework to comply with the GraphQL specification for JSON responses.

Graphqljava

Ensure that the Content-Type header is set to 'application/json' in the GraphQL Java framework to comply with the GraphQL specification for JSON responses.

Graphqlphp

Ensure the Content-Type header is set to 'application/json' in your GraphQLPHP framework responses to comply with the GraphQL specification.

Graphqlyoga

Ensure that the Content-Type header is set to 'application/json' in your GraphQL Yoga server configuration to comply with the GraphQL specification.

Hypergraphql

Ensure the Content-Type header is set to 'application/json' in the HyperGraphQL framework engine to comply with the GraphQL specification for JSON responses.

Jaal

Ensure the Content-Type header is set to application/json for all GraphQL API responses in the Jaal framework engine.

Juniper

Ensure the Content-Type header is set to application/json for all GraphQL API responses in the Juniper framework to comply with the GraphQL specification.

Lacinia

Ensure that the Lacinia framework sets the Content-Type header to 'application/json' for all GraphQL responses to comply with the GraphQL specification.

Lighthouse

Ensure the Content-Type header is set to application/json for all GraphQL API responses to comply with the GraphQL specification.

Mercurius

Ensure the Content-Type header is set to application/json in the Mercurius framework to comply with the GraphQL specification.

Morpheusgraphql

Ensure the Content-Type header is set to 'application/json' in the MorpheusGraphQL framework to comply with the GraphQL specification for JSON responses.

Qglgen

Ensure the Content-Type header is set to 'application/json' in the gqlgen framework to comply with the GraphQL specification.

Sangria

Ensure the Content-Type header is set to 'application/json' in the Sangria framework by configuring the response to include this header for all GraphQL API responses.

Shopify

Ensure that the Content-Type header is set to 'application/json' for all GraphQL API responses in the Shopify framework to comply with the GraphQL specification.

Stepzen

Ensure that the Content-Type header is set to 'application/json' in the StepZen framework engine to comply with the GraphQL specification for JSON responses.

Strawberry

Ensure the Content-Type header is set to 'application/json' in the Strawberry framework engine to comply with GraphQL specifications.

Tartiflette

Ensure the Content-Type header is set to 'application/json' in Tartiflette responses to comply with the GraphQL specification.

Wpgraphql

Ensure the Content-Type header is set to 'application/json' in the wpgraphql framework to comply with the GraphQL specification and ensure proper JSON response handling.

Configuration¶

Identifier: protocol/graphql_content_type

Examples¶

Ignore this check¶

checks:
  protocol/graphql_content_type:
    skip: true

Score¶

Escape Severity:

Compliance¶

OWASP: API7:2023
OWASP LLM: LLM02:2023
pci: 6.5.1
gdpr: Article-5
soc2: CC6
psd2: Article-97
iso27001: A.14.1
nist: SP800-95
fedramp: SC-7

Classification¶

CWE: 16

Score¶

CVSS_VECTOR: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS_SCORE: 4.3

References¶

https://spec.graphql.org/draft/#sec-Serialization-Format