Why is it allowed to send mutations using GET method?

[ktutnik]

First, thank you for the hard work to make such a great library :kudos

So I see from the example and found that mutation can be requested using GET method:

https://github.com/graphql-go/graphql/blob/f02a1c961028d3ba7ac6bb22eaa09b31a2cb53dd/examples/crud/main.go#L136-L139

and look like that is by design. See line 68 below tries to get the query from query string. And I can't find a way to disable the GET method.

https://github.com/graphql-go/handler/blob/f96ffdde846be75dd40541aebd1dba604f274817/handler.go#L67-L78

Because I am concerned that this is open for CSRF attack when you use Cookie authentication. Or am I missing something?

FYI: Apollo itself doesn't allow mutation request via GET method.