4. Mitigate malicious mutations

Limit mutation scope and complexity

Mutations are a powerful feature in GraphQL, but they also introduce more risk to your API than queries do. In fact, it’s possible for an attacker to write a single mutation that could wipe out all data in your database or even delete your entire database altogether! To mitigate this risk, we recommend limiting the ability of users to perform dangerous mutations by: 1) limiting access based on identity; 2) limiting access based on permissions; 3) using Apollo Server’s built-in authorization features (see above)
https://t.co/YXfCXoMB4H