GraphQL is not meant to be exposed over the internet

GraphQL is a query-based API style that simplifies communication between API developers and consumers. However, its popularity has led to concerns about its misuse, particularly when exposed over the internet. The author argues that GraphQL should not be used in production without proper consideration of security risks, such as schema traversal attacks and bug bounties. In contrast, using GraphQL as a server-side language, defining JSON-RPC APIs, can offer improved security and performance while maintaining the flexibility of GraphQL. This approach involves creating a set of GraphQL Operations that become JSON-RPC API functions, reducing the attack surface and making it easier to secure the API. While this approach may not be suitable for all use cases, it can benefit many developers who want to leverage GraphQL's advantages while addressing its security concerns.