We have a apollo graphql server that sits behind a azure gateway. The gateway applys a large number of standard owasp rules which it applies to the body of the graqhql query post.
Due to the data in the graphql post, many OWASP rules get triggered that are false positives.
The question is should the OWASP rules be applied to the body of the post? I dont believe there is a risk of OWASP type attacks congtained in the body of a graphql post, but how can I be sure??