Fix potential CSRF error in createGraphQLFetch (#2935)

vivid-planet · Dec 18, 2024 · 900b039 · 900b039
1 parent fcec4c5
commit 900b039
Showing 1 changed file with 14 additions and 1 deletion.
diff --git a/packages/site/cms-site/src/graphQLFetch/graphQLFetch.ts b/packages/site/cms-site/src/graphQLFetch/graphQLFetch.ts
@@ -83,7 +83,20 @@ export function createGraphQLFetch(fetch: Fetch, url: string): GraphQLFetch {
             const fetchUrl = new URL(url);
             fetchUrl.searchParams.append("query", query);
             fetchUrl.searchParams.append("variables", JSON.stringify(variables));
-            response = await fetch(fetchUrl, init);
+            response = await fetch(fetchUrl, {
+                ...init,
+                headers: {
+                    /**
+                     * It's recommended to add the `Apollo-Require-Preflight` header to GET requests, running on an Apollo Server 4.
+                     *
+                     * If this header is missing, Apollo Server 4 will return: This operation has been blocked as a potential Cross-Site Request Forgery (CSRF).
+                     *
+                     * see: https://www.apollographql.com/docs/graphos/routing/security/csrf#enable-csrf-prevention
+                     */
+                    "Apollo-Require-Preflight": "true",
+                    ...init.headers,
+                },
+            });
         } else {
             response = await fetch(url, {
                 method: "POST",