From 215c5cbd8d1eda21add85b20210440fe4329ecda Mon Sep 17 00:00:00 2001 From: enisdenjo Date: Tue, 15 Nov 2022 10:18:41 +0100 Subject: [PATCH 1/3] get requests are second class citizens --- src/audits/server.ts | 234 ++++++++++++++++++++++++++----------------- 1 file changed, 142 insertions(+), 92 deletions(-) diff --git a/src/audits/server.ts b/src/audits/server.ts index b357b788..19ff82cd 100644 --- a/src/audits/server.ts +++ b/src/audits/server.ts @@ -45,13 +45,13 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] { // TODO: convert to MUST after watershed 'SHOULD accept application/graphql-response+json and match the content-type', async () => { - const url = new URL(opts.url); - url.searchParams.set('query', '{ __typename }'); - - const res = await fetchFn(url.toString(), { + const res = await fetchFn(opts.url, { + method: 'POST', headers: { + 'content-type': 'application/json', accept: 'application/graphql-response+json', }, + body: JSON.stringify({ query: '{ __typename }' }), }); assert('Status code', res.status).toBe(200); assert( @@ -63,13 +63,13 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] { audit( 'MUST accept application/json and match the content-type', async () => { - const url = new URL(opts.url); - url.searchParams.set('query', '{ __typename }'); - - const res = await fetchFn(url.toString(), { + const res = await fetchFn(opts.url, { + method: 'POST', headers: { + 'content-type': 'application/json', accept: 'application/json', }, + body: JSON.stringify({ query: '{ __typename }' }), }); assert('Status code', res.status).toBe(200); assert( @@ -82,13 +82,13 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] { // TODO: convert to MUST after watershed 'SHOULD accept */* and use application/graphql-response+json for the content-type', async () => { - const url = new URL(opts.url); - url.searchParams.set('query', '{ __typename }'); - - const res = await fetchFn(url.toString(), { + const res = await fetchFn(opts.url, { + method: 'POST', headers: { + 'content-type': 'application/json', accept: '*/*', }, + body: JSON.stringify({ query: '{ __typename }' }), }); assert('Status code', res.status).toBe(200); assert( @@ -101,10 +101,13 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] { // TODO: convert to MUST after watershed 'SHOULD assume application/graphql-response+json content-type when accept is missing', async () => { - const url = new URL(opts.url); - url.searchParams.set('query', '{ __typename }'); - - const res = await fetchFn(url.toString()); + const res = await fetchFn(opts.url, { + method: 'POST', + headers: { + 'content-type': 'application/json', + }, + body: JSON.stringify({ query: '{ __typename }' }), + }); assert('Status code', res.status).toBe(200); assert( 'Content-Type header', @@ -113,10 +116,13 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] { }, ), audit('MUST use utf-8 encoding when responding', async () => { - const url = new URL(opts.url); - url.searchParams.set('query', '{ __typename }'); - - const res = await fetchFn(url.toString()); + const res = await fetchFn(opts.url, { + method: 'POST', + headers: { + 'content-type': 'application/json', + }, + body: JSON.stringify({ query: '{ __typename }' }), + }); assert('Status code', res.status).toBe(200); // has charset set to utf-8 @@ -148,13 +154,12 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] { } }), audit('MUST accept utf-8 encoding', async () => { - const url = new URL(opts.url); - url.searchParams.set('query', '{ __typename }'); - - const res = await fetchFn(url.toString(), { + const res = await fetchFn(opts.url, { + method: 'POST', headers: { 'content-type': 'application/json; charset=utf-8', }, + body: JSON.stringify({ query: '{ __typename }' }), }); assert('Status code', res.status).toBe(200); @@ -163,13 +168,12 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] { ); }), audit('MUST assume utf-8 if encoding is unspecified', async () => { - const url = new URL(opts.url); - url.searchParams.set('query', '{ __typename }'); - - const res = await fetchFn(url.toString(), { + const res = await fetchFn(opts.url, { + method: 'POST', headers: { 'content-type': 'application/json', }, + body: JSON.stringify({ query: '{ __typename }' }), }); assert('Status code', res.status).toBe(200); @@ -197,7 +201,8 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] { }, ), // Request GET - audit('MUST NOT allow executing mutations on GET requests', async () => { + // TODO: this is a MUST if the server supports GET requests + audit('MAY NOT allow executing mutations on GET requests', async () => { const url = new URL(opts.url); url.searchParams.set('query', 'mutation { __typename }'); @@ -525,8 +530,7 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] { }, ), audit( - // TODO: convert to MUST after watershed - 'SHOULD allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json', + 'MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json', async () => { const url = new URL(opts.url); url.searchParams.set( @@ -544,7 +548,7 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] { }, ), audit( - 'MUST allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json', + 'MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json', async () => { const url = new URL(opts.url); url.searchParams.set( @@ -670,11 +674,15 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] { audit( 'SHOULD use 200 status code if parameters are invalid when accepting application/json', async () => { - const url = new URL(opts.url); - url.searchParams.set('qeury' /* typo */, '{ __typename }'); - const res = await fetchFn(url.toString(), { - method: 'GET', - headers: { accept: 'application/json' }, + const res = await fetchFn(opts.url, { + method: 'POST', + headers: { + 'content-type': 'application/json', + accept: 'application/json', + }, + body: JSON.stringify({ + qeury: /* typo */ '{ __typename }', + }), }); assert('Status code', res.status).toBe(200); }, @@ -682,11 +690,13 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] { audit( 'SHOULD use 200 status code on document parsing failure when accepting application/json', async () => { - const url = new URL(opts.url); - url.searchParams.set('query', '{'); - const res = await fetchFn(url.toString(), { - method: 'GET', - headers: { accept: 'application/json' }, + const res = await fetchFn(opts.url, { + method: 'POST', + headers: { + 'content-type': 'application/json', + accept: 'application/json', + }, + body: JSON.stringify({ query: '{' }), }); assert('Status code', res.status).toBe(200); }, @@ -694,11 +704,15 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] { audit( 'SHOULD use 200 status code on document validation failure when accepting application/json', async () => { - const url = new URL(opts.url); - url.searchParams.set('query', '{ 8f31403dfe404bccbb0e835f2629c6a7 }'); // making sure the field doesnt exist - const res = await fetchFn(url.toString(), { - method: 'GET', - headers: { accept: 'application/json' }, + const res = await fetchFn(opts.url, { + method: 'POST', + headers: { + 'content-type': 'application/json', + accept: 'application/json', + }, + body: JSON.stringify({ + query: '{ 8f31403dfe404bccbb0e835f2629c6a7 }', // making sure the field doesnt exist + }), }); assert('Status code', res.status).toBe(200); }, @@ -755,11 +769,15 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] { // TODO: convert to MUST after watershed 'SHOULD use 4xx or 5xx status codes if parameters are invalid when accepting application/graphql-response+json', async () => { - const url = new URL(opts.url); - url.searchParams.set('qeury' /* typo */, '{ __typename }'); - const res = await fetchFn(url.toString(), { - method: 'GET', - headers: { accept: 'application/graphql-response+json' }, + const res = await fetchFn(opts.url, { + method: 'POST', + headers: { + 'content-type': 'application/json', + accept: 'application/graphql-response+json', + }, + body: JSON.stringify({ + qeury /* typo */: '{ __typename }', + }), }); assert('Status code', res.status).toBeGreaterThanOrEqual(400); assert('Status code', res.status).toBeLessThanOrEqual(599); @@ -768,11 +786,15 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] { audit( 'SHOULD use 400 status code if parameters are invalid when accepting application/graphql-response+json', async () => { - const url = new URL(opts.url); - url.searchParams.set('qeury' /* typo */, '{ __typename }'); - const res = await fetchFn(url.toString(), { - method: 'GET', - headers: { accept: 'application/graphql-response+json' }, + const res = await fetchFn(opts.url, { + method: 'POST', + headers: { + 'content-type': 'application/json', + accept: 'application/graphql-response+json', + }, + body: JSON.stringify({ + qeury: /* typo */ '{ __typename }', + }), }); assert('Status code', res.status).toBe(400); }, @@ -780,11 +802,15 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] { audit( 'SHOULD not contain the data entry if parameters are invalid when accepting application/graphql-response+json', async () => { - const url = new URL(opts.url); - url.searchParams.set('qeury' /* typo */, '{ __typename }'); - const res = await fetchFn(url.toString(), { - method: 'GET', - headers: { accept: 'application/graphql-response+json' }, + const res = await fetchFn(opts.url, { + method: 'POST', + headers: { + 'content-type': 'application/json', + accept: 'application/graphql-response+json', + }, + body: JSON.stringify({ + qeury: /* typo */ '{ __typename }', + }), }); assert( 'Data entry', @@ -796,11 +822,15 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] { // TODO: convert to MUST after watershed 'SHOULD use 4xx or 5xx status codes on document parsing failure when accepting application/graphql-response+json', async () => { - const url = new URL(opts.url); - url.searchParams.set('query', '{'); - const res = await fetchFn(url.toString(), { - method: 'GET', - headers: { accept: 'application/graphql-response+json' }, + const res = await fetchFn(opts.url, { + method: 'POST', + headers: { + 'content-type': 'application/json', + accept: 'application/graphql-response+json', + }, + body: JSON.stringify({ + query: '{', + }), }); assert('Status code', res.status).toBeGreaterThanOrEqual(400); assert('Status code', res.status).toBeLessThanOrEqual(599); @@ -809,11 +839,15 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] { audit( 'SHOULD use 400 status code on document parsing failure when accepting application/graphql-response+json', async () => { - const url = new URL(opts.url); - url.searchParams.set('query', '{'); - const res = await fetchFn(url.toString(), { - method: 'GET', - headers: { accept: 'application/graphql-response+json' }, + const res = await fetchFn(opts.url, { + method: 'POST', + headers: { + 'content-type': 'application/json', + accept: 'application/graphql-response+json', + }, + body: JSON.stringify({ + query: '{', + }), }); assert('Status code', res.status).toBe(400); }, @@ -821,11 +855,15 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] { audit( 'SHOULD not contain the data entry on document parsing failure when accepting application/graphql-response+json', async () => { - const url = new URL(opts.url); - url.searchParams.set('query', '{'); - const res = await fetchFn(url.toString(), { - method: 'GET', - headers: { accept: 'application/graphql-response+json' }, + const res = await fetchFn(opts.url, { + method: 'POST', + headers: { + 'content-type': 'application/json', + accept: 'application/graphql-response+json', + }, + body: JSON.stringify({ + query: '{', + }), }); assert( 'Data entry', @@ -837,11 +875,15 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] { // TODO: convert to MUST after watershed 'SHOULD use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json', async () => { - const url = new URL(opts.url); - url.searchParams.set('query', '{ 8f31403dfe404bccbb0e835f2629c6a7 }'); // making sure the field doesnt exist - const res = await fetchFn(url.toString(), { - method: 'GET', - headers: { accept: 'application/graphql-response+json' }, + const res = await fetchFn(opts.url, { + method: 'POST', + headers: { + 'content-type': 'application/json', + accept: 'application/graphql-response+json', + }, + body: JSON.stringify({ + query: '{ 8f31403dfe404bccbb0e835f2629c6a7 }', // making sure the field doesnt exist + }), }); assert('Status code', res.status).toBeGreaterThanOrEqual(400); assert('Status code', res.status).toBeLessThanOrEqual(599); @@ -850,11 +892,15 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] { audit( 'SHOULD use 400 status code on document validation failure when accepting application/graphql-response+json', async () => { - const url = new URL(opts.url); - url.searchParams.set('query', '{ 8f31403dfe404bccbb0e835f2629c6a7 }'); // making sure the field doesnt exist - const res = await fetchFn(url.toString(), { - method: 'GET', - headers: { accept: 'application/graphql-response+json' }, + const res = await fetchFn(opts.url, { + method: 'POST', + headers: { + 'content-type': 'application/json', + accept: 'application/graphql-response+json', + }, + body: JSON.stringify({ + query: '{ 8f31403dfe404bccbb0e835f2629c6a7 }', // making sure the field doesnt exist + }), }); assert('Status code', res.status).toBe(400); }, @@ -862,11 +908,15 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] { audit( 'SHOULD not contain the data entry on document validation failure when accepting application/graphql-response+json', async () => { - const url = new URL(opts.url); - url.searchParams.set('query', '{ 8f31403dfe404bccbb0e835f2629c6a7 }'); // making sure the field doesnt exist - const res = await fetchFn(url.toString(), { - method: 'GET', - headers: { accept: 'application/graphql-response+json' }, + const res = await fetchFn(opts.url, { + method: 'POST', + headers: { + 'content-type': 'application/json', + accept: 'application/graphql-response+json', + }, + body: JSON.stringify({ + query: '{ 8f31403dfe404bccbb0e835f2629c6a7 }', // making sure the field doesnt exist + }), }); assert( 'Data entry', From d3f800d598ebf9ddab4cff01c061e07df7c171d5 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 15 Nov 2022 09:20:56 +0000 Subject: [PATCH 2/3] docs(implementations): audit report [skip ci] --- implementations/apollo-server/README.md | 134 ++++++++-------- implementations/express-graphql/README.md | 83 +++++----- implementations/graph-client/README.md | 6 +- implementations/graphql-helix/README.md | 6 +- implementations/graphql-yoga/README.md | 6 +- implementations/hotchocolate/README.md | 6 +- implementations/mercurius/README.md | 6 +- implementations/thegraph/README.md | 178 +++++++++++----------- 8 files changed, 202 insertions(+), 223 deletions(-) diff --git a/implementations/apollo-server/README.md b/implementations/apollo-server/README.md index 3214c561..03a3c97c 100644 --- a/implementations/apollo-server/README.md +++ b/implementations/apollo-server/README.md @@ -3,61 +3,63 @@ _* This report was auto-generated by graphql-http_ # GraphQL over HTTP audit report - **73** audits in total -- ✅ **32** pass -- ⚠️ **37** warnings (optional) -- ❌ **4** errors (required) +- ✅ **35** pass +- ⚠️ **38** warnings (optional) ## Passing -1. MUST accept utf-8 encoding -2. MUST assume utf-8 if encoding is unspecified -3. MUST accept POST requests -4. SHOULD respond with 4xx status code if content-type is not supplied on POST requests -5. MUST accept application/json POST requests -6. MUST require a request body on POST -7. SHOULD use 400 status code on missing {query} parameter when accepting application/graphql-response+json -8. SHOULD use 400 status code on object {query} parameter when accepting application/graphql-response+json -9. SHOULD use 400 status code on number {query} parameter when accepting application/graphql-response+json -10. SHOULD use 400 status code on boolean {query} parameter when accepting application/graphql-response+json -11. SHOULD use 400 status code on array {query} parameter when accepting application/graphql-response+json -12. SHOULD allow string {query} parameter when accepting application/graphql-response+json -13. MUST allow string {query} parameter when accepting application/json -14. SHOULD allow string {operationName} parameter when accepting application/graphql-response+json -15. MUST allow string {operationName} parameter when accepting application/json -16. SHOULD use 400 status code on string {variables} parameter when accepting application/graphql-response+json -17. SHOULD allow map {variables} parameter when accepting application/graphql-response+json -18. MUST allow map {variables} parameter when accepting application/json -19. SHOULD use 400 status code on string {extensions} parameter when accepting application/graphql-response+json -20. SHOULD allow map {extensions} parameter when accepting application/graphql-response+json -21. MUST allow map {extensions} parameter when accepting application/json -22. SHOULD use 4xx or 5xx status codes on JSON parsing failure when accepting application/graphql-response+json -23. SHOULD use 400 status code on JSON parsing failure when accepting application/graphql-response+json -24. SHOULD use 4xx or 5xx status codes if parameters are invalid when accepting application/graphql-response+json -25. SHOULD use 400 status code if parameters are invalid when accepting application/graphql-response+json -26. SHOULD not contain the data entry if parameters are invalid when accepting application/graphql-response+json -27. SHOULD use 4xx or 5xx status codes on document parsing failure when accepting application/graphql-response+json -28. SHOULD use 400 status code on document parsing failure when accepting application/graphql-response+json -29. SHOULD not contain the data entry on document parsing failure when accepting application/graphql-response+json -30. SHOULD use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json -31. SHOULD use 400 status code on document validation failure when accepting application/graphql-response+json -32. SHOULD not contain the data entry on document validation failure when accepting application/graphql-response+json +1. SHOULD accept application/graphql-response+json and match the content-type +2. MUST accept application/json and match the content-type +3. MUST use utf-8 encoding when responding +4. MUST accept utf-8 encoding +5. MUST assume utf-8 if encoding is unspecified +6. MUST accept POST requests +7. SHOULD respond with 4xx status code if content-type is not supplied on POST requests +8. MUST accept application/json POST requests +9. MUST require a request body on POST +10. SHOULD use 400 status code on missing {query} parameter when accepting application/graphql-response+json +11. SHOULD use 400 status code on object {query} parameter when accepting application/graphql-response+json +12. SHOULD use 400 status code on number {query} parameter when accepting application/graphql-response+json +13. SHOULD use 400 status code on boolean {query} parameter when accepting application/graphql-response+json +14. SHOULD use 400 status code on array {query} parameter when accepting application/graphql-response+json +15. SHOULD allow string {query} parameter when accepting application/graphql-response+json +16. MUST allow string {query} parameter when accepting application/json +17. SHOULD allow string {operationName} parameter when accepting application/graphql-response+json +18. MUST allow string {operationName} parameter when accepting application/json +19. SHOULD use 400 status code on string {variables} parameter when accepting application/graphql-response+json +20. SHOULD allow map {variables} parameter when accepting application/graphql-response+json +21. MUST allow map {variables} parameter when accepting application/json +22. SHOULD use 400 status code on string {extensions} parameter when accepting application/graphql-response+json +23. SHOULD allow map {extensions} parameter when accepting application/graphql-response+json +24. MUST allow map {extensions} parameter when accepting application/json +25. SHOULD use 4xx or 5xx status codes on JSON parsing failure when accepting application/graphql-response+json +26. SHOULD use 400 status code on JSON parsing failure when accepting application/graphql-response+json +27. SHOULD use 4xx or 5xx status codes if parameters are invalid when accepting application/graphql-response+json +28. SHOULD use 400 status code if parameters are invalid when accepting application/graphql-response+json +29. SHOULD not contain the data entry if parameters are invalid when accepting application/graphql-response+json +30. SHOULD use 4xx or 5xx status codes on document parsing failure when accepting application/graphql-response+json +31. SHOULD use 400 status code on document parsing failure when accepting application/graphql-response+json +32. SHOULD not contain the data entry on document parsing failure when accepting application/graphql-response+json +33. SHOULD use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json +34. SHOULD use 400 status code on document validation failure when accepting application/graphql-response+json +35. SHOULD not contain the data entry on document validation failure when accepting application/graphql-response+json ## Warnings The server _SHOULD_ support these, but is not required. -1. SHOULD accept application/graphql-response+json and match the content-type
+1. SHOULD accept \*/\* and use application/graphql-response+json for the content-type
``` -Status code 400 is not 200 +Content-Type header "application/json; charset=utf-8" does not contain "application/graphql-response+json" ``` -2. SHOULD accept \*/\* and use application/graphql-response+json for the content-type
+2. SHOULD assume application/graphql-response+json content-type when accept is missing
``` -Status code 400 is not 200 +Content-Type header "application/json; charset=utf-8" does not contain "application/graphql-response+json" ``` -3. SHOULD assume application/graphql-response+json content-type when accept is missing
+3. MAY accept application/x-www-form-urlencoded formatted GET requests
``` Status code 400 is not 200 ``` -4. MAY accept application/x-www-form-urlencoded formatted GET requests
+4. MAY NOT allow executing mutations on GET requests
``` -Status code 400 is not 200 +Status code 400 is not 405 ``` 5. SHOULD use 200 status code with errors field on missing {query} parameter when accepting application/json
``` @@ -139,74 +141,60 @@ Execution result {"data":{"__typename":"Query"}} does not have a property 'error ``` Execution result {"data":{"__typename":"Query"}} does not have a property 'errors' ``` -25. SHOULD allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json
+25. MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json
+``` +Status code 400 is not 200 +``` +26. MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json
``` Status code 400 is not 200 ``` -26. SHOULD use 400 status code on number {extensions} parameter when accepting application/graphql-response+json
+27. SHOULD use 400 status code on number {extensions} parameter when accepting application/graphql-response+json
``` Status code 200 is not 400 ``` -27. SHOULD use 400 status code on boolean {extensions} parameter when accepting application/graphql-response+json
+28. SHOULD use 400 status code on boolean {extensions} parameter when accepting application/graphql-response+json
``` Status code 200 is not 400 ``` -28. SHOULD use 400 status code on array {extensions} parameter when accepting application/graphql-response+json
+29. SHOULD use 400 status code on array {extensions} parameter when accepting application/graphql-response+json
``` Status code 200 is not 400 ``` -29. SHOULD use 200 status code with errors field on string {extensions} parameter when accepting application/json
+30. SHOULD use 200 status code with errors field on string {extensions} parameter when accepting application/json
``` Status code 400 is not 200 ``` -30. SHOULD use 200 status code with errors field on number {extensions} parameter when accepting application/json
+31. SHOULD use 200 status code with errors field on number {extensions} parameter when accepting application/json
``` Execution result {"data":{"__typename":"Query"}} does not have a property 'errors' ``` -31. SHOULD use 200 status code with errors field on boolean {extensions} parameter when accepting application/json
+32. SHOULD use 200 status code with errors field on boolean {extensions} parameter when accepting application/json
``` Execution result {"data":{"__typename":"Query"}} does not have a property 'errors' ``` -32. SHOULD use 200 status code with errors field on array {extensions} parameter when accepting application/json
+33. SHOULD use 200 status code with errors field on array {extensions} parameter when accepting application/json
``` Execution result {"data":{"__typename":"Query"}} does not have a property 'errors' ``` -33. SHOULD use 200 status code on JSON parsing failure when accepting application/json
+34. SHOULD use 200 status code on JSON parsing failure when accepting application/json
``` Status code 400 is not 200 ``` -34. SHOULD use 200 status code if parameters are invalid when accepting application/json
+35. SHOULD use 200 status code if parameters are invalid when accepting application/json
``` Status code 400 is not 200 ``` -35. SHOULD use 200 status code on document parsing failure when accepting application/json
+36. SHOULD use 200 status code on document parsing failure when accepting application/json
``` Status code 400 is not 200 ``` -36. SHOULD use 200 status code on document validation failure when accepting application/json
+37. SHOULD use 200 status code on document validation failure when accepting application/json
``` Status code 400 is not 200 ``` -37. SHOULD not contain the data entry on JSON parsing failure when accepting application/graphql-response+json
+38. SHOULD not contain the data entry on JSON parsing failure when accepting application/graphql-response+json
``` Response body is not valid JSON. Got "\n\n\n\nError\n\n\n
SyntaxError: Unexpected end of JSON input
    at JSON.parse (<anonymous>)
    at parse (/home/runner/work/graphql-http/graphql-http/node_modules/body-parser/lib/types/json.js:89:19)
    at /home/runner/work/graphql-http/graphql-http/node_modules/body-parser/lib/read.js:128:18
    at AsyncResource.runInAsyncScope (node:async_hooks:203:9)
    at invokeCallback (/home/runner/work/graphql-http/graphql-http/node_modules/raw-body/index.js:231:16)
    at done (/home/runner/work/graphql-http/graphql-http/node_modules/raw-body/index.js:220:7)
    at IncomingMessage.onEnd (/home/runner/work/graphql-http/graphql-http/node_modules/raw-body/index.js:280:7)
    at IncomingMessage.emit (node:events:513:28)
    at endReadableNT (node:internal/streams/rea...
 ```
 
-## Errors
-The server _MUST_ support these.
-1. MUST accept application/json and match the content-type

-```
-Status code 400 is not 200
-```
-2. MUST use utf-8 encoding when responding

-```
-Status code 400 is not 200
-```
-3. MUST NOT allow executing mutations on GET requests

-```
-Status code 400 is not 405
-```
-4. MUST allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json

-```
-Status code 400 is not 200
-```
diff --git a/implementations/express-graphql/README.md b/implementations/express-graphql/README.md
index 19bc0bcb..ecd5d58c 100644
--- a/implementations/express-graphql/README.md
+++ b/implementations/express-graphql/README.md
@@ -3,47 +3,48 @@ _* This report was auto-generated by graphql-http_
 # GraphQL over HTTP audit report
 
 - **73** audits in total
-- ✅ **36** pass
+- ✅ **38** pass
 - ⚠️ **35** warnings (optional)
-- ❌ **2** errors (required)
 
 ## Passing
 1. MUST accept application/json and match the content-type
 2. MUST use utf-8 encoding when responding
-3. MUST accept POST requests
-4. MAY accept application/x-www-form-urlencoded formatted GET requests
-5. MUST NOT allow executing mutations on GET requests
-6. SHOULD respond with 4xx status code if content-type is not supplied on POST requests
-7. MUST accept application/json POST requests
-8. MUST require a request body on POST
-9. SHOULD use 400 status code on missing {query} parameter when accepting application/graphql-response+json
-10. SHOULD use 400 status code on object {query} parameter when accepting application/graphql-response+json
-11. SHOULD use 400 status code on number {query} parameter when accepting application/graphql-response+json
-12. SHOULD use 400 status code on boolean {query} parameter when accepting application/graphql-response+json
-13. SHOULD use 400 status code on array {query} parameter when accepting application/graphql-response+json
-14. SHOULD allow string {query} parameter when accepting application/graphql-response+json
-15. MUST allow string {query} parameter when accepting application/json
-16. SHOULD allow string {operationName} parameter when accepting application/graphql-response+json
-17. MUST allow string {operationName} parameter when accepting application/json
-18. SHOULD use 400 status code on string {variables} parameter when accepting application/graphql-response+json
-19. SHOULD allow map {variables} parameter when accepting application/graphql-response+json
-20. MUST allow map {variables} parameter when accepting application/json
-21. SHOULD allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json
-22. MUST allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json
-23. SHOULD allow map {extensions} parameter when accepting application/graphql-response+json
-24. MUST allow map {extensions} parameter when accepting application/json
-25. SHOULD use 4xx or 5xx status codes on JSON parsing failure when accepting application/graphql-response+json
-26. SHOULD use 400 status code on JSON parsing failure when accepting application/graphql-response+json
-27. SHOULD not contain the data entry on JSON parsing failure when accepting application/graphql-response+json
-28. SHOULD use 4xx or 5xx status codes if parameters are invalid when accepting application/graphql-response+json
-29. SHOULD use 400 status code if parameters are invalid when accepting application/graphql-response+json
-30. SHOULD not contain the data entry if parameters are invalid when accepting application/graphql-response+json
-31. SHOULD use 4xx or 5xx status codes on document parsing failure when accepting application/graphql-response+json
-32. SHOULD use 400 status code on document parsing failure when accepting application/graphql-response+json
-33. SHOULD not contain the data entry on document parsing failure when accepting application/graphql-response+json
-34. SHOULD use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json
-35. SHOULD use 400 status code on document validation failure when accepting application/graphql-response+json
-36. SHOULD not contain the data entry on document validation failure when accepting application/graphql-response+json
+3. MUST accept utf-8 encoding
+4. MUST assume utf-8 if encoding is unspecified
+5. MUST accept POST requests
+6. MAY accept application/x-www-form-urlencoded formatted GET requests
+7. MAY NOT allow executing mutations on GET requests
+8. SHOULD respond with 4xx status code if content-type is not supplied on POST requests
+9. MUST accept application/json POST requests
+10. MUST require a request body on POST
+11. SHOULD use 400 status code on missing {query} parameter when accepting application/graphql-response+json
+12. SHOULD use 400 status code on object {query} parameter when accepting application/graphql-response+json
+13. SHOULD use 400 status code on number {query} parameter when accepting application/graphql-response+json
+14. SHOULD use 400 status code on boolean {query} parameter when accepting application/graphql-response+json
+15. SHOULD use 400 status code on array {query} parameter when accepting application/graphql-response+json
+16. SHOULD allow string {query} parameter when accepting application/graphql-response+json
+17. MUST allow string {query} parameter when accepting application/json
+18. SHOULD allow string {operationName} parameter when accepting application/graphql-response+json
+19. MUST allow string {operationName} parameter when accepting application/json
+20. SHOULD use 400 status code on string {variables} parameter when accepting application/graphql-response+json
+21. SHOULD allow map {variables} parameter when accepting application/graphql-response+json
+22. MUST allow map {variables} parameter when accepting application/json
+23. MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json
+24. MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json
+25. SHOULD allow map {extensions} parameter when accepting application/graphql-response+json
+26. MUST allow map {extensions} parameter when accepting application/json
+27. SHOULD use 4xx or 5xx status codes on JSON parsing failure when accepting application/graphql-response+json
+28. SHOULD use 400 status code on JSON parsing failure when accepting application/graphql-response+json
+29. SHOULD not contain the data entry on JSON parsing failure when accepting application/graphql-response+json
+30. SHOULD use 4xx or 5xx status codes if parameters are invalid when accepting application/graphql-response+json
+31. SHOULD use 400 status code if parameters are invalid when accepting application/graphql-response+json
+32. SHOULD not contain the data entry if parameters are invalid when accepting application/graphql-response+json
+33. SHOULD use 4xx or 5xx status codes on document parsing failure when accepting application/graphql-response+json
+34. SHOULD use 400 status code on document parsing failure when accepting application/graphql-response+json
+35. SHOULD not contain the data entry on document parsing failure when accepting application/graphql-response+json
+36. SHOULD use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json
+37. SHOULD use 400 status code on document validation failure when accepting application/graphql-response+json
+38. SHOULD not contain the data entry on document validation failure when accepting application/graphql-response+json
 
 ## Warnings
 The server _SHOULD_ support these, but is not required.
@@ -188,13 +189,3 @@ Status code 400 is not 200
 Status code 400 is not 200
 ```
 
-## Errors
-The server _MUST_ support these.
-1. MUST accept utf-8 encoding

-```
-Status code 400 is not 200
-```
-2. MUST assume utf-8 if encoding is unspecified

-```
-Status code 400 is not 200
-```
diff --git a/implementations/graph-client/README.md b/implementations/graph-client/README.md
index e165d9ba..7bbb51e5 100644
--- a/implementations/graph-client/README.md
+++ b/implementations/graph-client/README.md
@@ -15,7 +15,7 @@ _* This report was auto-generated by graphql-http_
 7. MUST assume utf-8 if encoding is unspecified
 8. MUST accept POST requests
 9. MAY accept application/x-www-form-urlencoded formatted GET requests
-10. MUST NOT allow executing mutations on GET requests
+10. MAY NOT allow executing mutations on GET requests
 11. SHOULD respond with 4xx status code if content-type is not supplied on POST requests
 12. MUST accept application/json POST requests
 13. MUST require a request body on POST
@@ -51,8 +51,8 @@ _* This report was auto-generated by graphql-http_
 43. SHOULD use 200 status code with errors field on array {variables} parameter when accepting application/json
 44. SHOULD allow map {variables} parameter when accepting application/graphql-response+json
 45. MUST allow map {variables} parameter when accepting application/json
-46. SHOULD allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json
-47. MUST allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json
+46. MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json
+47. MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json
 48. SHOULD use 400 status code on string {extensions} parameter when accepting application/graphql-response+json
 49. SHOULD use 400 status code on number {extensions} parameter when accepting application/graphql-response+json
 50. SHOULD use 400 status code on boolean {extensions} parameter when accepting application/graphql-response+json
diff --git a/implementations/graphql-helix/README.md b/implementations/graphql-helix/README.md
index d1bd501a..da1c67dd 100644
--- a/implementations/graphql-helix/README.md
+++ b/implementations/graphql-helix/README.md
@@ -12,7 +12,7 @@ _* This report was auto-generated by graphql-http_
 2. MUST use utf-8 encoding when responding
 3. MUST accept POST requests
 4. MAY accept application/x-www-form-urlencoded formatted GET requests
-5. MUST NOT allow executing mutations on GET requests
+5. MAY NOT allow executing mutations on GET requests
 6. SHOULD respond with 4xx status code if content-type is not supplied on POST requests
 7. MUST accept application/json POST requests
 8. MUST require a request body on POST
@@ -32,8 +32,8 @@ _* This report was auto-generated by graphql-http_
 22. SHOULD use 400 status code on string {variables} parameter when accepting application/graphql-response+json
 23. SHOULD allow map {variables} parameter when accepting application/graphql-response+json
 24. MUST allow map {variables} parameter when accepting application/json
-25. SHOULD allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json
-26. MUST allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json
+25. MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json
+26. MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json
 27. SHOULD allow map {extensions} parameter when accepting application/graphql-response+json
 28. MUST allow map {extensions} parameter when accepting application/json
 29. SHOULD use 4xx or 5xx status codes on JSON parsing failure when accepting application/graphql-response+json
diff --git a/implementations/graphql-yoga/README.md b/implementations/graphql-yoga/README.md
index e165d9ba..7bbb51e5 100644
--- a/implementations/graphql-yoga/README.md
+++ b/implementations/graphql-yoga/README.md
@@ -15,7 +15,7 @@ _* This report was auto-generated by graphql-http_
 7. MUST assume utf-8 if encoding is unspecified
 8. MUST accept POST requests
 9. MAY accept application/x-www-form-urlencoded formatted GET requests
-10. MUST NOT allow executing mutations on GET requests
+10. MAY NOT allow executing mutations on GET requests
 11. SHOULD respond with 4xx status code if content-type is not supplied on POST requests
 12. MUST accept application/json POST requests
 13. MUST require a request body on POST
@@ -51,8 +51,8 @@ _* This report was auto-generated by graphql-http_
 43. SHOULD use 200 status code with errors field on array {variables} parameter when accepting application/json
 44. SHOULD allow map {variables} parameter when accepting application/graphql-response+json
 45. MUST allow map {variables} parameter when accepting application/json
-46. SHOULD allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json
-47. MUST allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json
+46. MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json
+47. MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json
 48. SHOULD use 400 status code on string {extensions} parameter when accepting application/graphql-response+json
 49. SHOULD use 400 status code on number {extensions} parameter when accepting application/graphql-response+json
 50. SHOULD use 400 status code on boolean {extensions} parameter when accepting application/graphql-response+json
diff --git a/implementations/hotchocolate/README.md b/implementations/hotchocolate/README.md
index e165d9ba..7bbb51e5 100644
--- a/implementations/hotchocolate/README.md
+++ b/implementations/hotchocolate/README.md
@@ -15,7 +15,7 @@ _* This report was auto-generated by graphql-http_
 7. MUST assume utf-8 if encoding is unspecified
 8. MUST accept POST requests
 9. MAY accept application/x-www-form-urlencoded formatted GET requests
-10. MUST NOT allow executing mutations on GET requests
+10. MAY NOT allow executing mutations on GET requests
 11. SHOULD respond with 4xx status code if content-type is not supplied on POST requests
 12. MUST accept application/json POST requests
 13. MUST require a request body on POST
@@ -51,8 +51,8 @@ _* This report was auto-generated by graphql-http_
 43. SHOULD use 200 status code with errors field on array {variables} parameter when accepting application/json
 44. SHOULD allow map {variables} parameter when accepting application/graphql-response+json
 45. MUST allow map {variables} parameter when accepting application/json
-46. SHOULD allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json
-47. MUST allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json
+46. MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json
+47. MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json
 48. SHOULD use 400 status code on string {extensions} parameter when accepting application/graphql-response+json
 49. SHOULD use 400 status code on number {extensions} parameter when accepting application/graphql-response+json
 50. SHOULD use 400 status code on boolean {extensions} parameter when accepting application/graphql-response+json
diff --git a/implementations/mercurius/README.md b/implementations/mercurius/README.md
index ca8eec35..02a73300 100644
--- a/implementations/mercurius/README.md
+++ b/implementations/mercurius/README.md
@@ -13,7 +13,7 @@ _* This report was auto-generated by graphql-http_
 4. MUST assume utf-8 if encoding is unspecified
 5. MUST accept POST requests
 6. MAY accept application/x-www-form-urlencoded formatted GET requests
-7. MUST NOT allow executing mutations on GET requests
+7. MAY NOT allow executing mutations on GET requests
 8. SHOULD respond with 4xx status code if content-type is not supplied on POST requests
 9. MUST accept application/json POST requests
 10. MUST require a request body on POST
@@ -34,8 +34,8 @@ _* This report was auto-generated by graphql-http_
 25. SHOULD use 400 status code on array {variables} parameter when accepting application/graphql-response+json
 26. SHOULD allow map {variables} parameter when accepting application/graphql-response+json
 27. MUST allow map {variables} parameter when accepting application/json
-28. SHOULD allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json
-29. MUST allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json
+28. MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json
+29. MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json
 30. SHOULD use 400 status code on string {extensions} parameter when accepting application/graphql-response+json
 31. SHOULD use 400 status code on number {extensions} parameter when accepting application/graphql-response+json
 32. SHOULD use 400 status code on boolean {extensions} parameter when accepting application/graphql-response+json
diff --git a/implementations/thegraph/README.md b/implementations/thegraph/README.md
index 35eeaefc..f67ae83c 100644
--- a/implementations/thegraph/README.md
+++ b/implementations/thegraph/README.md
@@ -4,284 +4,284 @@ _* This report was auto-generated by graphql-http_
 
 - **73** audits in total
 - ✅ **7** pass
-- ⚠️ **53** warnings (optional)
-- ❌ **13** errors (required)
+- ⚠️ **55** warnings (optional)
+- ❌ **11** errors (required)
 
 ## Passing
 1. MAY accept application/x-www-form-urlencoded formatted GET requests
 2. SHOULD respond with 4xx status code if content-type is not supplied on POST requests
-3. SHOULD allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json
-4. SHOULD use 200 status code if parameters are invalid when accepting application/json
-5. SHOULD use 200 status code on document parsing failure when accepting application/json
-6. SHOULD use 200 status code on document validation failure when accepting application/json
-7. SHOULD use 4xx or 5xx status codes on JSON parsing failure when accepting application/graphql-response+json
+3. MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json
+4. SHOULD use 4xx or 5xx status codes on JSON parsing failure when accepting application/graphql-response+json
+5. SHOULD use 4xx or 5xx status codes if parameters are invalid when accepting application/graphql-response+json
+6. SHOULD use 4xx or 5xx status codes on document parsing failure when accepting application/graphql-response+json
+7. SHOULD use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json
 
 ## Warnings
 The server _SHOULD_ support these, but is not required.
 1. SHOULD accept application/graphql-response+json and match the content-type

 ```
-Content-Type header "text/html" does not contain "application/graphql-response+json"
+Status code 404 is not 200
 ```
 2. SHOULD accept \*/\* and use application/graphql-response+json for the content-type

 ```
-Content-Type header "text/html" does not contain "application/graphql-response+json"
+Status code 404 is not 200
 ```
 3. SHOULD assume application/graphql-response+json content-type when accept is missing

 ```
-Content-Type header "text/html" does not contain "application/graphql-response+json"
+Status code 404 is not 200
 ```
-4. SHOULD use 400 status code on missing {query} parameter when accepting application/graphql-response+json

+4. MAY NOT allow executing mutations on GET requests

+```
+Status code 200 is not 405
+```
+5. SHOULD use 400 status code on missing {query} parameter when accepting application/graphql-response+json

 ```
 Status code 404 is not 400
 ```
-5. SHOULD use 200 status code with errors field on missing {query} parameter when accepting application/json

+6. SHOULD use 200 status code with errors field on missing {query} parameter when accepting application/json

 ```
 Status code 404 is not 200
 ```
-6. SHOULD use 400 status code on object {query} parameter when accepting application/graphql-response+json

+7. SHOULD use 400 status code on object {query} parameter when accepting application/graphql-response+json

 ```
 Status code 404 is not 400
 ```
-7. SHOULD use 400 status code on number {query} parameter when accepting application/graphql-response+json

+8. SHOULD use 400 status code on number {query} parameter when accepting application/graphql-response+json

 ```
 Status code 404 is not 400
 ```
-8. SHOULD use 400 status code on boolean {query} parameter when accepting application/graphql-response+json

+9. SHOULD use 400 status code on boolean {query} parameter when accepting application/graphql-response+json

 ```
 Status code 404 is not 400
 ```
-9. SHOULD use 400 status code on array {query} parameter when accepting application/graphql-response+json

+10. SHOULD use 400 status code on array {query} parameter when accepting application/graphql-response+json

 ```
 Status code 404 is not 400
 ```
-10. SHOULD use 200 status code with errors field on object {query} parameter when accepting application/json

+11. SHOULD use 200 status code with errors field on object {query} parameter when accepting application/json

 ```
 Status code 404 is not 200
 ```
-11. SHOULD use 200 status code with errors field on number {query} parameter when accepting application/json

+12. SHOULD use 200 status code with errors field on number {query} parameter when accepting application/json

 ```
 Status code 404 is not 200
 ```
-12. SHOULD use 200 status code with errors field on boolean {query} parameter when accepting application/json

+13. SHOULD use 200 status code with errors field on boolean {query} parameter when accepting application/json

 ```
 Status code 404 is not 200
 ```
-13. SHOULD use 200 status code with errors field on array {query} parameter when accepting application/json

+14. SHOULD use 200 status code with errors field on array {query} parameter when accepting application/json

 ```
 Status code 404 is not 200
 ```
-14. SHOULD allow string {query} parameter when accepting application/graphql-response+json

+15. SHOULD allow string {query} parameter when accepting application/graphql-response+json

 ```
 Status code 404 is not 200
 ```
-15. SHOULD use 400 status code on object {operationName} parameter when accepting application/graphql-response+json

+16. SHOULD use 400 status code on object {operationName} parameter when accepting application/graphql-response+json

 ```
 Status code 404 is not 400
 ```
-16. SHOULD use 400 status code on number {operationName} parameter when accepting application/graphql-response+json

+17. SHOULD use 400 status code on number {operationName} parameter when accepting application/graphql-response+json

 ```
 Status code 404 is not 400
 ```
-17. SHOULD use 400 status code on boolean {operationName} parameter when accepting application/graphql-response+json

+18. SHOULD use 400 status code on boolean {operationName} parameter when accepting application/graphql-response+json

 ```
 Status code 404 is not 400
 ```
-18. SHOULD use 400 status code on array {operationName} parameter when accepting application/graphql-response+json

+19. SHOULD use 400 status code on array {operationName} parameter when accepting application/graphql-response+json

 ```
 Status code 404 is not 400
 ```
-19. SHOULD use 200 status code with errors field on object {operationName} parameter when accepting application/json

+20. SHOULD use 200 status code with errors field on object {operationName} parameter when accepting application/json

 ```
 Status code 404 is not 200
 ```
-20. SHOULD use 200 status code with errors field on number {operationName} parameter when accepting application/json

+21. SHOULD use 200 status code with errors field on number {operationName} parameter when accepting application/json

 ```
 Status code 404 is not 200
 ```
-21. SHOULD use 200 status code with errors field on boolean {operationName} parameter when accepting application/json

+22. SHOULD use 200 status code with errors field on boolean {operationName} parameter when accepting application/json

 ```
 Status code 404 is not 200
 ```
-22. SHOULD use 200 status code with errors field on array {operationName} parameter when accepting application/json

+23. SHOULD use 200 status code with errors field on array {operationName} parameter when accepting application/json

 ```
 Status code 404 is not 200
 ```
-23. SHOULD allow string {operationName} parameter when accepting application/graphql-response+json

+24. SHOULD allow string {operationName} parameter when accepting application/graphql-response+json

 ```
 Status code 404 is not 200
 ```
-24. SHOULD use 400 status code on string {variables} parameter when accepting application/graphql-response+json

+25. SHOULD use 400 status code on string {variables} parameter when accepting application/graphql-response+json

 ```
 Status code 404 is not 400
 ```
-25. SHOULD use 400 status code on number {variables} parameter when accepting application/graphql-response+json

+26. SHOULD use 400 status code on number {variables} parameter when accepting application/graphql-response+json

 ```
 Status code 404 is not 400
 ```
-26. SHOULD use 400 status code on boolean {variables} parameter when accepting application/graphql-response+json

+27. SHOULD use 400 status code on boolean {variables} parameter when accepting application/graphql-response+json

 ```
 Status code 404 is not 400
 ```
-27. SHOULD use 400 status code on array {variables} parameter when accepting application/graphql-response+json

+28. SHOULD use 400 status code on array {variables} parameter when accepting application/graphql-response+json

 ```
 Status code 404 is not 400
 ```
-28. SHOULD use 200 status code with errors field on string {variables} parameter when accepting application/json

+29. SHOULD use 200 status code with errors field on string {variables} parameter when accepting application/json

 ```
 Status code 404 is not 200
 ```
-29. SHOULD use 200 status code with errors field on number {variables} parameter when accepting application/json

+30. SHOULD use 200 status code with errors field on number {variables} parameter when accepting application/json

 ```
 Status code 404 is not 200
 ```
-30. SHOULD use 200 status code with errors field on boolean {variables} parameter when accepting application/json

+31. SHOULD use 200 status code with errors field on boolean {variables} parameter when accepting application/json

 ```
 Status code 404 is not 200
 ```
-31. SHOULD use 200 status code with errors field on array {variables} parameter when accepting application/json

+32. SHOULD use 200 status code with errors field on array {variables} parameter when accepting application/json

 ```
 Status code 404 is not 200
 ```
-32. SHOULD allow map {variables} parameter when accepting application/graphql-response+json

+33. SHOULD allow map {variables} parameter when accepting application/graphql-response+json

 ```
 Status code 404 is not 200
 ```
-33. SHOULD use 400 status code on string {extensions} parameter when accepting application/graphql-response+json

+34. MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json

+```
+Response body is not valid JSON. Got "\n\n\n\nThe GraphiQL\n