If you pick a random GraphQL framework and run it with default settings in production, disaster is waiting to happen.

2. Unvalidated Input#

GraphQL has no built-in way of validating input. It’s up to the client library or the server implementation to validate input before sending it over the wire. This means that there are two places where validation can happen: on the client side (e.g., Apollo Client) or on the server side (e.g., NextJS). The problem here is that both sides have different requirements for what should be validated and how much effort should be put into validation itself

Back to Main