CSRF protection is recommended for all web requests types. It does not matter that the payload is a GraphQL message. By default tokens can be re-used. A typical SPA would use the token received in its initial page load for all requests until that page is refreshed again.
5 Likes
