It should be documented that GraphQL endpoints providing mutations must be protected against CSRF attacks, and how this can be achieved. Maybe pyramid.csrf be combined with webob-graphql?