Both Hive Gateway and Apollo Router follow the similar approaches on CSRF

The only difference is the default. By default, Hive Gateway doesn't have it, and Apollo Router has it in production mode.

The configuration is very simple. It is a list of the headers;

csrf:
   required-headers:
     - X-Apollo-Operation-Name

In case of enabling this feature, the router will check if one of the following conditions met;

• Content-Type other than text/plain, application/x-www-form-urlencoded or multipart/form-data
• One of the required headers exist

References

• https://the-guild.dev/graphql/hive/docs/gateway/other-features/security/csrf-prevention
• https://www.apollographql.com/docs/graphos/routing/security/csrf