Just a little context on why I am picky on Security: I work as a Developer Advocate for Mobile App and API Security.
What I see is that more often then not developers and businesses make decisions based on convenience, rather then security, and this affirmation is not targetting directly REST vs GraphQL. It seems that the huge amount of data breaches are slowly changing this mindset for some, but I also observed another pattern of very big businesses treating data breaches and resulting fines and losses as business as usual. They can afford it but medium and small businesses can’t.
In fact, a security breach can lead to a medium or small business to fill for bankruptcy in the following year, or reduce drastically their revenue, due to a loss of trust of their users and consequent move to products offered by the competition. Next time you need to make a decision bear in mind this.
Yes, and OpenAPI specs are the most used one.
To be clear, I am not against anyone or myself using GraphQL I just cannot stand the argument that REST APIs need an extra endpoint for each time one more field needs to be returned. In my opinion, when that is the case, then is just pure bad design of the API, because I would not design such inflexible REST API endpoints for a production API.
So, each team needs to use whatever best feet their needs, but they must be aware that REST API isn’t the elephant in the room, especially for the new generation of developers, and they need to understand the risks they are accepting in terms of security when adopting a GraphQL API.
We will have to agree that we disagree here: REST APIs are easier to secure then GraphQL.
I know that some advances have been made towards securing GraphQL, but they may be costly to be applied in terms of performance, but I may be wrong here.
Yes, and I admitted that in my answer when I said that it has better ergonomics, especially for frontend devs.
The query language is really a strong point in favour of GraphQL.
Same holds true for REST API that use OpenAPI specs.