Reject GET requests with a Content-Type other than application/json (#8191)

glasser · claude · web-flow · commit ada12001c4e9 · 2026-03-24T12:41:45.000-07:00
GET requests carry their GraphQL operation in query parameters, not a body, so there is no legitimate reason to send any Content-Type other than application/json (which Apollo Client Web sends by default). Reject any other value — including valid MIME types like text/plain and application/graphql, as well as malformed values — with HTTP 415. This also addresses GHSA-9q82-xgwf-vj6h  ## Summary by CodeRabbit * **Security** * Strengthened CSRF protection: GET requests with `Content-Type` headers other than `application/json` are now rejected (HTTP 415) * Users with cookies or HTTP Basic Auth should upgrade to v5.5.0 * **Documentation** * Updated request handling and CSRF prevention documentation  --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/.changeset/chatty-worlds-vanish.md b/.changeset/chatty-worlds-vanish.md
@@ -0,0 +1,18 @@
+---
+'@apollo/server-integration-testsuite': minor
+'@apollo/server': minor
+---
+
+⚠️ SECURITY `@apollo/server/standalone`:
+
+Apollo Server now rejects GraphQL `GET` requests which contain a `Content-Type` header other than `application/json` (with optional parameters such as `; charset=utf-8`). Any other value is now rejected with a 415 status code.
+
+(GraphQL `GET` requests without a `Content-Type` header are still allowed, though they do still need to contain a non-empty `X-Apollo-Operation-Name` or `Apollo-Require-Preflight` header to be processed if the default CSRF prevention feature is enabled.)
+
+This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.
+
+**If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.**
+
+This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty `Content-Type` headers with `GET` requests with types other than `application/json`. If your use case requires such requests, please [file an issue](https://github.com/apollographql/apollo-server/issues) and we may add more configurability in a follow-up release.
+
+See [advisory GHSA-9q82-xgwf-vj6h](https://github.com/apollographql/apollo-server/security/advisories/GHSA-9q82-xgwf-vj6h) for more details.
diff --git a/docs/source/integrations/building-integrations.md b/docs/source/integrations/building-integrations.md
@@ -120,6 +120,8 @@ Integrations _are_ responsible for parsing a request's body and using the values
 
 In Apollo Server's Express integration, you set up the `express.json()` JSON middleware, which handles parsing JSON request bodies with a `content-type` of `application/json`. Integrations can require a similar middleware (or plugin) for their ecosystem, or they can handle body parsing themselves.
 
+Note that Apollo Server's [CSRF prevention](../security/cors/#preventing-cross-site-request-forgery-csrf) feature assumes that your integration's recommended method of body parsing will reject `POST` requests without a `content-type` of `application/json`. If your integration allows `POST` requests with no `content-type` header (or with a `content-type` of `text/plain`, `application/x-www-form-urlencoded`, or `multipart/form-data`), servers will be vulnerable to CSRF attacks.
+
 For example, a correctly parsed body should have a shape resembling this:
 
 ```ts
diff --git a/docs/source/security/cors.mdx b/docs/source/security/cors.mdx
@@ -200,7 +200,7 @@ However, Apollo Server also handles [`GET` requests](../workflow/requests#get-re
 
 By default, Apollo Server 4+ has a CSRF prevention feature enabled. This means your server only executes GraphQL operations if at least one of the following conditions is true:
 
-- The incoming request includes a `Content-Type` header that specifies a type other than `text/plain`, `application/x-www-form-urlencoded`, or `multipart/form-data`. Notably, a `Content-Type` of `application/json` (including any suffix like `application/json; charset=utf-8`) is sufficient. This means that all `POST` requests (which must use `Content-Type: application/json`) will be executed. Additionally, all versions of [Apollo Client Web](/react/api/link/apollo-link-http) that support `GET` requests do include `Content-Type: application/json` headers, so any request from Apollo Client Web (`POST` or `GET`) will be executed.
+- The incoming request includes a `Content-Type` header that specifies a type other than `text/plain`, `application/x-www-form-urlencoded`, or `multipart/form-data`. Notably, a `Content-Type` of `application/json` (including any suffix like `application/json; charset=utf-8`) is sufficient. This means that all `POST` requests (which must use `Content-Type: application/json`) will be executed. Additionally, all versions of [Apollo Client Web](/react/api/link/apollo-link-http) that support `GET` requests do include `Content-Type: application/json` headers, so any request from Apollo Client Web (`POST` or `GET`) will be executed. (As of v5.5.0, Apollo Server rejects GET requests which contain a non-empty `Content-Type` other than `application/json`, so in practice this bullet point could be summarized as "the incoming request includes a `Content-Type` header that specifies the type `application/json`".)
 - There is a non-empty `X-Apollo-Operation-Name` header. This header is sent with all operations (`POST` or `GET`) by [Apollo iOS](/ios) (v0.13.0+) and [Apollo Kotlin](/kotlin) (all versions, including its former name "Apollo Android"), so any request from Apollo iOS or Apollo Kotlin will be executed.
 - There is a non-empty `Apollo-Require-Preflight` header.
 
diff --git a/docs/source/workflow/requests.md b/docs/source/workflow/requests.md
@@ -82,7 +82,9 @@ curl --request GET \
   https://rover.apollo.dev/quickstart/products/graphql?query=query%20GetBestSellers%28%24category%3A%20ProductCategory%29%7BbestSellers%28category%3A%20%24category%29%7Btitle%7D%7D&operationName=GetBestSellers&variables=%7B%22category%22%3A%22BOOKS%22%7D
 ```
 
-Unlike with `POST` requests, `GET` requests do not require a `Content-Type` header. However, if you have Apollo Server's default [CSRF prevention](../security/cors#preventing-cross-site-request-forgery-csrf) feature enabled, `GET` requests that don't contain a `Content-Type` header must contain one of the following:
+Unlike with `POST` requests, `GET` requests do not require a `Content-Type` header: this header describes the request's body's type, and `GET` requests do not have a body. For historical reasons, Apollo Server allows `GET` requests with a `Content-Type` header of `application/json` (with optional parameters such as `; charset=utf-8`); any other value is rejected with a 415 status code.
+
+Additionally, if you have Apollo Server's default [CSRF prevention](../security/cors#preventing-cross-site-request-forgery-csrf) feature enabled, `GET` requests that don't contain a `Content-Type` header must contain one of the following:
 
 - A non-empty `X-Apollo-Operation-Name` header
 - A non-empty `Apollo-Require-Preflight` header
diff --git a/packages/integration-testsuite/src/apolloServerTests.ts b/packages/integration-testsuite/src/apolloServerTests.ts
@@ -3177,15 +3177,21 @@ export function defineIntegrationTestSuiteApolloServerTests(
             .query(operation),
         );
 
-        // GET with an invalid content-type (no slash) actually succeeds, since
-        // this will be preflighted, although it would be reasonable if it
-        // didn't.
-        succeeds(
-          await request(url)
+        // GET with an invalid content-type (no slash) is blocked (not for CSRF
+        // reasons specifically, but because the content-type is not parsable
+        // as application/json).
+        {
+          const res = await request(url)
             .get('/')
             .set('content-type', 'invalid')
-            .query(operation),
-        );
+            .query(operation);
+          expect(res.status).toBe(415);
+          expect(res.text).toMatch(/GET requests may not have a content-type/);
+          expect(invalidRequestErrors).toHaveLength(1);
+          expect(invalidRequestErrors.pop()?.message).toMatch(
+            /GET requests may not have a content-type/,
+          );
+        }
 
         // Adding parameters to the content-type and spaces doesn't stop it from
         // being blocked.
diff --git a/packages/integration-testsuite/src/httpServerTests.ts b/packages/integration-testsuite/src/httpServerTests.ts
@@ -605,6 +605,107 @@ export function defineIntegrationTestSuiteHttpServerTests(
         `);
       });
 
+      it('throws an error if GET request has a non-application/json content-type', async () => {
+        const app = await createApp();
+        const res = await request(app)
+          .get('/?query={testString}')
+          .set('apollo-require-preflight', 't')
+          .set('content-type', 'text/plain');
+        expect(res.status).toEqual(415);
+        expect(JSON.parse((res.error as HTTPError).text))
+          .toMatchInlineSnapshot(`
+          {
+            "errors": [
+              {
+                "extensions": {
+                  "code": "BAD_REQUEST",
+                },
+                "message": "GET requests may not have a content-type header other than application/json.",
+              },
+            ],
+          }
+        `);
+      });
+
+      it('throws an error if GET request has a non-preflighted non-application/json content-type', async () => {
+        // application/graphql is a valid MIME type that is not one of the three
+        // CORS-safelisted types, so CSRF prevention would allow it through (it
+        // triggers a preflight). We block it anyway.
+        const app = await createApp();
+        const res = await request(app)
+          .get('/?query={testString}')
+          .set('apollo-require-preflight', 't')
+          .set('content-type', 'application/graphql');
+        expect(res.status).toEqual(415);
+        expect(JSON.parse((res.error as HTTPError).text))
+          .toMatchInlineSnapshot(`
+          {
+            "errors": [
+              {
+                "extensions": {
+                  "code": "BAD_REQUEST",
+                },
+                "message": "GET requests may not have a content-type header other than application/json.",
+              },
+            ],
+          }
+        `);
+      });
+
+      it('throws an error if GET request has a malformed content-type', async () => {
+        const app = await createApp();
+        const res = await request(app)
+          .get('/?query={testString}')
+          .set('apollo-require-preflight', 't')
+          .set('content-type', 'invalid');
+        expect(res.status).toEqual(415);
+        expect(JSON.parse((res.error as HTTPError).text))
+          .toMatchInlineSnapshot(`
+          {
+            "errors": [
+              {
+                "extensions": {
+                  "code": "BAD_REQUEST",
+                },
+                "message": "GET requests may not have a content-type header other than application/json.",
+              },
+            ],
+          }
+        `);
+      });
+
+      it('allows GET requests with content-type application/json', async () => {
+        const app = await createApp();
+        const expected = {
+          testString: 'it works',
+        };
+        const query = {
+          query: 'query test{ testString }',
+        };
+        const res = await request(app)
+          .get('/')
+          .set('content-type', 'application/json')
+          .query(query);
+        expect(res.status).toEqual(200);
+        expect(res.body.data).toEqual(expected);
+      });
+
+      it('allows GET requests with content-type application/json with charset parameter', async () => {
+        const app = await createApp();
+        const expected = {
+          testString: 'it works',
+        };
+        const query = {
+          query: 'query test{ testString }',
+        };
+        const res = await request(app)
+          .get('/')
+          .set('content-type', 'application/json; charset=utf-8')
+          .query(query);
+        expect(res.status).toEqual(200);
+        expect(res.body.data).toEqual(expected);
+      });
+
       it('can handle a basic GET request', async () => {
         const app = await createApp();
         const expected = {
diff --git a/packages/server/src/runHttpQuery.ts b/packages/server/src/runHttpQuery.ts
@@ -21,6 +21,7 @@ import { type FormattedExecutionResult, Kind } from 'graphql';
 import { BadRequestError } from './internalErrorClasses.js';
 import Negotiator from 'negotiator';
 import { HeaderMap } from './utils/HeaderMap.js';
+import MIMEType from 'whatwg-mimetype';
 
 function fieldIfString(
   o: Record<string, unknown>,
@@ -195,6 +196,20 @@ export async function runHttpQuery<TContext extends BaseContext>({
     }
 
     case 'GET': {
+      const contentType = httpRequest.headers.get('content-type');
+      if (contentType !== undefined) {
+        const contentTypeParsed = MIMEType.parse(contentType);
+        if (
+          contentTypeParsed === null ||
+          contentTypeParsed.essence !== 'application/json'
+        ) {
+          throw new BadRequestError(
+            'GET requests may not have a content-type header other than application/json.',
+            { extensions: { http: newHTTPGraphQLHead(415) } },
+          );
+        }
+      }
+
       const searchParams = new URLSearchParams(httpRequest.search);
 
       graphQLRequest = {
