While GET requests are typically used for retrieving data without side effects, allowing queries via GET in GraphQL APIs can introduce security risks, such as sensitive data being cached or logged by intermediaries like browsers, proxies, or CDNs. This behavior may inadvertently expose sensitive query content or compromise API security.
An attacker sends a GET request with a mutation query embedded in the URL, such as deleting a user or updating account details. If the server allows mutations via GET, the attacker can execute this mutation without the need for additional authentication or protection, potentially leading to unauthorized data modification.
