Skip to content

Latest commit

 

History

History
677 lines (671 loc) · 18.1 KB

README.md

File metadata and controls

677 lines (671 loc) · 18.1 KB
Raw

* This report was auto-generated by graphql-http

GraphQL over HTTP audit report

  • 60 audits in total
  • 29 pass
  • 💡 18 notices (suggestions)
  • ⚠️ 13 warnings (optional)

Passing

  1. 4655 MUST accept application/json and match the content-type
  2. 47DE SHOULD accept */* and use application/json for the content-type
  3. 80D8 SHOULD assume application/json content-type when accept is missing
  4. 82A3 MUST use utf-8 encoding when responding
  5. BF61 MUST accept utf-8 encoded request
  6. 78D5 MUST assume utf-8 in request if encoding is unspecified
  7. 2C94 MUST accept POST requests
  8. 5A70 MAY accept application/x-www-form-urlencoded formatted GET requests
  9. 9C48 MAY NOT allow executing mutations on GET requests
  10. 9ABE MAY respond with 4xx status code if content-type is not supplied on POST requests
  11. 03D4 MUST accept application/json POST requests
  12. A5BF MAY use 400 status code when request body is missing on POST
  13. 13EE MUST allow string {query} parameter when accepting application/json
  14. B8B3 MUST allow string {operationName} parameter when accepting application/json
  15. 0220 MUST allow null {variables} parameter when accepting application/json
  16. 0221 MUST allow null {operationName} parameter when accepting application/json
  17. 0222 MUST allow null {extensions} parameter when accepting application/json
  18. 4760 MAY use 400 status code on string {variables} parameter
  19. 4761 MAY use 400 status code on number {variables} parameter
  20. 4762 MAY use 400 status code on boolean {variables} parameter
  21. 28B9 MUST allow map {variables} parameter when accepting application/json
  22. 1B7A MUST allow map {extensions} parameter when accepting application/json
  23. B6DC MAY use 4xx or 5xx status codes on JSON parsing failure
  24. BCF8 MAY use 400 status code on JSON parsing failure
  25. 572B SHOULD use 200 status code on document parsing failure when accepting application/json
  26. FDE2 SHOULD use 200 status code on document validation failure when accepting application/json
  27. 7B9B SHOULD use a status code of 200 on variable coercion failure when accepting application/json
  28. 865D SHOULD use 4xx or 5xx status codes on document parsing failure when accepting application/graphql-response+json
  29. 51FE SHOULD use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json

Notices

The server MAY support these, but are truly optional. These are suggestions following recommended conventions.
  1. 423L MAY use 400 status code on missing {query} parameter
    Response status code is not 400 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": "Not Acceptable"
}
  2. LKJ0 MAY use 400 status code on object {query} parameter
    Response status code is not 400 
    {
  "statusText": "OK",
  "status": 200,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "",
    "content-type": "application/json",
    "content-length": "45",
    "content-encoding": "gzip"
  },
  "body": {
    "errors": [
      {}
    ]
  }
}
  3. LKJ1 MAY use 400 status code on number {query} parameter
    Response status code is not 400 
    {
  "statusText": "OK",
  "status": 200,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "",
    "content-type": "application/json",
    "content-length": "45",
    "content-encoding": "gzip"
  },
  "body": {
    "errors": [
      {}
    ]
  }
}
  4. LKJ2 MAY use 400 status code on boolean {query} parameter
    Response status code is not 400 
    {
  "statusText": "OK",
  "status": 200,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "",
    "content-type": "application/json",
    "content-length": "45",
    "content-encoding": "gzip"
  },
  "body": {
    "errors": [
      {}
    ]
  }
}
  5. LKJ3 MAY use 400 status code on array {query} parameter
    Response status code is not 400 
    {
  "statusText": "OK",
  "status": 200,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "",
    "content-type": "application/json",
    "content-length": "45",
    "content-encoding": "gzip"
  },
  "body": {
    "errors": [
      {}
    ]
  }
}
  6. 6C00 MAY use 400 status code on object {operationName} parameter
    Response status code is not 400 
    {
  "statusText": "OK",
  "status": 200,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "",
    "content-type": "application/json",
    "content-length": "105",
    "content-encoding": "gzip"
  },
  "body": {
    "errors": [
      {
        "message": "Unknown operation named \"[object Object]\"."
      }
    ]
  }
}
  7. 6C01 MAY use 400 status code on number {operationName} parameter
    Response status code is not 400 
    {
  "statusText": "OK",
  "status": 200,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "",
    "content-type": "application/json",
    "content-length": "95",
    "content-encoding": "gzip"
  },
  "body": {
    "errors": [
      {
        "message": "Unknown operation named \"0\"."
      }
    ]
  }
}
  8. 6C02 MAY use 400 status code on boolean {operationName} parameter
    Response status code is not 400 
    {
  "statusText": "OK",
  "status": 200,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "",
    "content-type": "application/json",
    "content-length": "98",
    "content-encoding": "gzip"
  },
  "body": {
    "errors": [
      {
        "message": "Unknown operation named \"false\"."
      }
    ]
  }
}
  9. 6C03 MAY use 400 status code on array {operationName} parameter
    Response status code is not 400 
    {
  "statusText": "OK",
  "status": 200,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "",
    "content-type": "application/json",
    "content-length": "98",
    "content-encoding": "gzip"
  },
  "body": {
    "errors": [
      {
        "message": "Unknown operation named \"array\"."
      }
    ]
  }
}
  10. 4763 MAY use 400 status code on array {variables} parameter
    Response status code is not 400 
    {
  "statusText": "OK",
  "status": 200,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "",
    "content-type": "application/json",
    "content-length": "59",
    "content-encoding": "gzip"
  },
  "body": {
    "data": {
      "__typename": "Query"
    }
  }
}
  11. D6D5 MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json
    Response status code is not 200 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": "Not Acceptable"
}
  12. 6A70 MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json
    Response body execution result has a property "errors" 
    {
  "statusText": "OK",
  "status": 200,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "",
    "content-type": "application/json",
    "content-length": "163",
    "content-encoding": "gzip"
  },
  "body": {
    "errors": [
      {
        "message": "Variable \"$name\" of required type \"String!\" was not provided.",
        "locations": [
          {
            "line": 1,
            "column": 12
          }
        ]
      }
    ]
  }
}
  13. 58B0 MAY use 400 status code on string {extensions} parameter
    Response status code is not 400 
    {
  "statusText": "OK",
  "status": 200,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "",
    "content-type": "application/json",
    "content-length": "59",
    "content-encoding": "gzip"
  },
  "body": {
    "data": {
      "__typename": "Query"
    }
  }
}
  14. 58B1 MAY use 400 status code on number {extensions} parameter
    Response status code is not 400 
    {
  "statusText": "OK",
  "status": 200,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "",
    "content-type": "application/json",
    "content-length": "59",
    "content-encoding": "gzip"
  },
  "body": {
    "data": {
      "__typename": "Query"
    }
  }
}
  15. 58B2 MAY use 400 status code on boolean {extensions} parameter
    Response status code is not 400 
    {
  "statusText": "OK",
  "status": 200,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "",
    "content-type": "application/json",
    "content-length": "59",
    "content-encoding": "gzip"
  },
  "body": {
    "data": {
      "__typename": "Query"
    }
  }
}
  16. 58B3 MAY use 400 status code on array {extensions} parameter
    Response status code is not 400 
    {
  "statusText": "OK",
  "status": 200,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "",
    "content-type": "application/json",
    "content-length": "59",
    "content-encoding": "gzip"
  },
  "body": {
    "data": {
      "__typename": "Query"
    }
  }
}
  17. 8764 MAY use 4xx or 5xx status codes if parameters are invalid
    Response status is not between 400 and 599 
    {
  "statusText": "OK",
  "status": 200,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "",
    "content-type": "application/json",
    "content-length": "45",
    "content-encoding": "gzip"
  },
  "body": {
    "errors": [
      {}
    ]
  }
}
  18. 3E3A MAY use 400 status code if parameters are invalid
    Response status code is not 400 
    {
  "statusText": "OK",
  "status": 200,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "",
    "content-type": "application/json",
    "content-length": "45",
    "content-encoding": "gzip"
  },
  "body": {
    "errors": [
      {}
    ]
  }
}

Warnings

The server SHOULD support these, but is not required.
  1. 22EB SHOULD accept application/graphql-response+json and match the content-type
    Response status code is not 200 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": "Not Acceptable"
}
  2. 34A2 SHOULD allow string {query} parameter when accepting application/graphql-response+json
    Response status code is not 200 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": "Not Acceptable"
}
  3. 8161 SHOULD allow string {operationName} parameter when accepting application/graphql-response+json
    Response status code is not 200 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": "Not Acceptable"
}
  4. 94B0 SHOULD allow null {variables} parameter when accepting application/graphql-response+json
    Response status code is not 200 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": "Not Acceptable"
}
  5. 94B1 SHOULD allow null {operationName} parameter when accepting application/graphql-response+json
    Response status code is not 200 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": "Not Acceptable"
}
  6. 94B2 SHOULD allow null {extensions} parameter when accepting application/graphql-response+json
    Response status code is not 200 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": "Not Acceptable"
}
  7. 2EA1 SHOULD allow map {variables} parameter when accepting application/graphql-response+json
    Response status code is not 200 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": "Not Acceptable"
}
  8. 428F SHOULD allow map {extensions} parameter when accepting application/graphql-response+json
    Response status code is not 200 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": "Not Acceptable"
}
  9. 556A SHOULD use 400 status code on document parsing failure when accepting application/graphql-response+json
    Response status code is not 400 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": "Not Acceptable"
}
  10. D586 SHOULD not contain the data entry on document parsing failure when accepting application/graphql-response+json
    Response body is not valid JSON 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": null
}
  11. 74FF SHOULD use 400 status code on document validation failure when accepting application/graphql-response+json
    Response status code is not 400 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": "Not Acceptable"
}
  12. 5E5B SHOULD not contain the data entry on document validation failure when accepting application/graphql-response+json
    Response body is not valid JSON 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": null
}
  13. 86EE SHOULD use a status code of 400 on variable coercion failure when accepting application/graphql-response+json
    Response status code is not 400 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": "Not Acceptable"
}