| ▲ | scotty79 a day ago | |||||||
> when a server receives an input object, that object will conform to the type Anything that comes from the front end can be tampered with. Server is guaranteed nothing. > GraphQL always prunes return objects to just the fields requested, which most other API tech doesn't do, and this can be a really nice security benefit. Request can be tampered with so there's additional security from GraphQL protocol. Security must be implemented by narrowing down to only allowed data on the server side. How much of it is requested doesn't matter for security. | ||||||||
| ▲ | JAlexoid a day ago | parent [-] | |||||||
Expecting GraphQL to handle security is really one of the poorest ways of doing security, as GQL is not designed to do that. | ||||||||
| ||||||||