Graphql is actually MORE vulnerable! Had this conversation with Lee Byron, the creator of Graphql back in 2015 - https://flic.kr/p/24LQXqp). GraphQL uses massive numbers of external redirects for 'knitting' (not internal redirects) making it:

- extremely slow

- vulnerable to listeners/MITM/token capture/etc

Rather that using the existing request/response/token (like CORS does) to redirect internally, it drops threads, goes outside the DMZ, recreates the request/response and then calls a separate endpoint.