Authorization checks need to be performed separately in each location to prevent an exploitable authorization flaw.
Discription

This is compounded as the complexity of the API schema enlarges and there are more distinct resolvers that are responsible for the access control to the same data.

2. REST Proxies Allow Attacks on Underlying APIs

REST proxies like GraphQL can also introduce a new attack vector, especially if they’re not properly secured or implemented with security in mind. A malicious user could use a proxy service to gain unauthorized access to another application by using it as an intermediary between their client and your server – this is known as “man-in-the-middle” (MitM) attacks
https://t.co/hDg6bklu71

Back to Main