Skip to content

Latest commit

 

History

History
939 lines (801 loc) · 26.9 KB

README.md

File metadata and controls

939 lines (801 loc) · 26.9 KB

* This report was auto-generated by graphql-http

GraphQL over HTTP audit report

  • 79 audits in total
  • 35 pass
  • ⚠️ 44 warnings (optional)

Passing

  1. MUST accept application/json and match the content-type
  2. SHOULD accept */* and use application/json for the content-type
  3. SHOULD assume application/json content-type when accept is missing
  4. MUST use utf-8 encoding when responding
  5. MUST accept utf-8 encoded request
  6. MUST assume utf-8 in request if encoding is unspecified
  7. MUST accept POST requests
  8. MAY accept application/x-www-form-urlencoded formatted GET requests
  9. MAY NOT allow executing mutations on GET requests
  10. SHOULD respond with 4xx status code if content-type is not supplied on POST requests
  11. MUST accept application/json POST requests
  12. MUST require a request body on POST
  13. SHOULD use 200 status code with errors field on missing {query} parameter when accepting application/json
  14. SHOULD use 200 status code with errors field on object {query} parameter when accepting application/json
  15. SHOULD use 200 status code with errors field on number {query} parameter when accepting application/json
  16. SHOULD use 200 status code with errors field on boolean {query} parameter when accepting application/json
  17. SHOULD use 200 status code with errors field on array {query} parameter when accepting application/json
  18. MUST allow string {query} parameter when accepting application/json
  19. SHOULD use 200 status code with errors field on object {operationName} parameter when accepting application/json
  20. SHOULD use 200 status code with errors field on number {operationName} parameter when accepting application/json
  21. SHOULD use 200 status code with errors field on boolean {operationName} parameter when accepting application/json
  22. SHOULD use 200 status code with errors field on array {operationName} parameter when accepting application/json
  23. MUST allow string {operationName} parameter when accepting application/json
  24. MUST allow null {variables} parameter when accepting application/json
  25. MUST allow null {operationName} parameter when accepting application/json
  26. MUST allow null {extensions} parameter when accepting application/json
  27. MUST allow map {variables} parameter when accepting application/json
  28. MUST allow map {extensions} parameter when accepting application/json
  29. SHOULD use 200 status code if parameters are invalid when accepting application/json
  30. SHOULD use 200 status code on document parsing failure when accepting application/json
  31. SHOULD use 200 status code on document validation failure when accepting application/json
  32. SHOULD use 4xx or 5xx status codes on JSON parsing failure when accepting application/graphql-response+json
  33. SHOULD use 4xx or 5xx status codes if parameters are invalid when accepting application/graphql-response+json
  34. SHOULD use 4xx or 5xx status codes on document parsing failure when accepting application/graphql-response+json
  35. SHOULD use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json

Warnings

The server SHOULD support these, but is not required.

  1. SHOULD accept application/graphql-response+json and match the content-type

    Response status code is not 200 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": "Not Acceptable"
}

  2. SHOULD use 400 status code on missing {query} parameter when accepting application/graphql-response+json

    Response status code is not 400 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": "Not Acceptable"
}

  3. SHOULD use 400 status code on object {query} parameter when accepting application/graphql-response+json

    Response status code is not 400 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": "Not Acceptable"
}

  4. SHOULD use 400 status code on number {query} parameter when accepting application/graphql-response+json

    Response status code is not 400 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": "Not Acceptable"
}

  5. SHOULD use 400 status code on boolean {query} parameter when accepting application/graphql-response+json

    Response status code is not 400 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": "Not Acceptable"
}

  6. SHOULD use 400 status code on array {query} parameter when accepting application/graphql-response+json

    Response status code is not 400 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": "Not Acceptable"
}

  7. SHOULD allow string {query} parameter when accepting application/graphql-response+json

    Response status code is not 200 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": "Not Acceptable"
}

  8. SHOULD use 400 status code on object {operationName} parameter when accepting application/graphql-response+json

    Response status code is not 400 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": "Not Acceptable"
}

  9. SHOULD use 400 status code on number {operationName} parameter when accepting application/graphql-response+json

    Response status code is not 400 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": "Not Acceptable"
}

  10. SHOULD use 400 status code on boolean {operationName} parameter when accepting application/graphql-response+json

    Response status code is not 400 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": "Not Acceptable"
}

  11. SHOULD use 400 status code on array {operationName} parameter when accepting application/graphql-response+json

    Response status code is not 400 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": "Not Acceptable"
}

  12. SHOULD allow string {operationName} parameter when accepting application/graphql-response+json

    Response status code is not 200 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": "Not Acceptable"
}

  13. SHOULD allow null {variables} parameter when accepting application/graphql-response+json

    Response status code is not 200 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": "Not Acceptable"
}

  14. SHOULD allow null {operationName} parameter when accepting application/graphql-response+json

    Response status code is not 200 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": "Not Acceptable"
}

  15. SHOULD allow null {extensions} parameter when accepting application/graphql-response+json

    Response status code is not 200 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": "Not Acceptable"
}

  16. SHOULD use 400 status code on string {variables} parameter when accepting application/graphql-response+json

    Response status code is not 400 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": "Not Acceptable"
}

  17. SHOULD use 400 status code on number {variables} parameter when accepting application/graphql-response+json

    Response status code is not 400 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": "Not Acceptable"
}

  18. SHOULD use 400 status code on boolean {variables} parameter when accepting application/graphql-response+json

    Response status code is not 400 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": "Not Acceptable"
}

  19. SHOULD use 400 status code on array {variables} parameter when accepting application/graphql-response+json

    Response status code is not 400 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": "Not Acceptable"
}

  20. SHOULD use 200 status code with errors field on string {variables} parameter when accepting application/json

    Response status code is not 200 
    {
  "statusText": "Bad Request",
  "status": 400,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "42",
    "content-encoding": "gzip"
  },
  "body": "Malformed Request Body"
}

  21. SHOULD use 200 status code with errors field on number {variables} parameter when accepting application/json

    Response status code is not 200 
    {
  "statusText": "Bad Request",
  "status": 400,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "42",
    "content-encoding": "gzip"
  },
  "body": "Malformed Request Body"
}

  22. SHOULD use 200 status code with errors field on boolean {variables} parameter when accepting application/json

    Response status code is not 200 
    {
  "statusText": "Bad Request",
  "status": 400,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "42",
    "content-encoding": "gzip"
  },
  "body": "Malformed Request Body"
}

  23. SHOULD use 200 status code with errors field on array {variables} parameter when accepting application/json

    Response body execution result does not have a property "errors" 
    {
  "statusText": "OK",
  "status": 200,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "application/json",
    "content-length": "59",
    "content-encoding": "gzip"
  },
  "body": null
}

  24. SHOULD allow map {variables} parameter when accepting application/graphql-response+json

    Response status code is not 200 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": "Not Acceptable"
}

  25. MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json

    Response status code is not 200 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": "Not Acceptable"
}

  26. MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json

    Response body execution result has a property "errors" 
    {
  "statusText": "OK",
  "status": 200,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "application/json",
    "content-length": "163",
    "content-encoding": "gzip"
  },
  "body": null
}

  27. SHOULD use 400 status code on string {extensions} parameter when accepting application/graphql-response+json

    Response status code is not 400 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": "Not Acceptable"
}

  28. SHOULD use 400 status code on number {extensions} parameter when accepting application/graphql-response+json

    Response status code is not 400 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": "Not Acceptable"
}

  29. SHOULD use 400 status code on boolean {extensions} parameter when accepting application/graphql-response+json

    Response status code is not 400 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": "Not Acceptable"
}

  30. SHOULD use 400 status code on array {extensions} parameter when accepting application/graphql-response+json

    Response status code is not 400 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": "Not Acceptable"
}

  31. SHOULD use 200 status code with errors field on string {extensions} parameter when accepting application/json

    Response body execution result does not have a property "errors" 
    {
  "statusText": "OK",
  "status": 200,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "application/json",
    "content-length": "59",
    "content-encoding": "gzip"
  },
  "body": null
}

  32. SHOULD use 200 status code with errors field on number {extensions} parameter when accepting application/json

    Response body execution result does not have a property "errors" 
    {
  "statusText": "OK",
  "status": 200,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "application/json",
    "content-length": "59",
    "content-encoding": "gzip"
  },
  "body": null
}

  33. SHOULD use 200 status code with errors field on boolean {extensions} parameter when accepting application/json

    Response body execution result does not have a property "errors" 
    {
  "statusText": "OK",
  "status": 200,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "application/json",
    "content-length": "59",
    "content-encoding": "gzip"
  },
  "body": null
}

  34. SHOULD use 200 status code with errors field on array {extensions} parameter when accepting application/json

    Response body execution result does not have a property "errors" 
    {
  "statusText": "OK",
  "status": 200,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "application/json",
    "content-length": "59",
    "content-encoding": "gzip"
  },
  "body": null
}

  35. SHOULD allow map {extensions} parameter when accepting application/graphql-response+json

    Response status code is not 200 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": "Not Acceptable"
}

  36. SHOULD use 200 status code on JSON parsing failure when accepting application/json

    Response status code is not 200 
    {
  "statusText": "Bad Request",
  "status": 400,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "42",
    "content-encoding": "gzip"
  },
  "body": "Malformed Request Body"
}

  37. SHOULD use 400 status code on JSON parsing failure when accepting application/graphql-response+json

    Response status code is not 400 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": "Not Acceptable"
}

  38. SHOULD not contain the data entry on JSON parsing failure when accepting application/graphql-response+json

    Response body is not valid JSON 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": null
}

  39. SHOULD use 400 status code if parameters are invalid when accepting application/graphql-response+json

    Response status code is not 400 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": "Not Acceptable"
}

  40. SHOULD not contain the data entry if parameters are invalid when accepting application/graphql-response+json

    Response body is not valid JSON 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": null
}

  41. SHOULD use 400 status code on document parsing failure when accepting application/graphql-response+json

    Response status code is not 400 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": "Not Acceptable"
}

  42. SHOULD not contain the data entry on document parsing failure when accepting application/graphql-response+json

    Response body is not valid JSON 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": null
}

  43. SHOULD use 400 status code on document validation failure when accepting application/graphql-response+json

    Response status code is not 400 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": "Not Acceptable"
}

  44. SHOULD not contain the data entry on document validation failure when accepting application/graphql-response+json

    Response body is not valid JSON 
    {
  "statusText": "Not Acceptable",
  "status": 406,
  "headers": {
    "vary": "Accept-Encoding",
    "date": "<timestamp>",
    "content-type": "text/plain;charset=UTF-8",
    "content-length": "14"
  },
  "body": null
}