Add security best practices in documentation

[LMaxence]

Hello!

I am a Lead Developer at Escape, where we run a GraphQL security testing tool. We strongly believe in the importance of making web applications secure and strive to make security best practices as easy to be aware of and to set up as possible.

We have been looking the Ariadne engine for a long time, and we tried to enhance its documentation with our knowledge on GraphQL security measures. These improvements include presentations of vulnerabilities, possible exploits, and mitigation code samples for the Ariadne engine. We started with the stacktraces disclosure and the field suggestions.

In addition, we are aware of an issue in most GraphQL parsers which can lead to the engine being overloaded and the CPU throttling. To prevent this from impacting server performance, it is recommended to configure a lexer token limit at the parser level. This problem was mitigated for graphql-js. As this is a problem located at the parser's level, we have not included it in the documentation yet. We would encourage you to check it out with the folks from graphql-core.

Finally, we have noticed that @rafalp is assigned in most docs-related MRs and would appreciate his feedbacks. We would be grateful for any advice you can provide :)

Thanks for this tool, and have a great day !

Maxence and @c3b5aw

[rafalp]

Hello, thank you for opening this. It's great to add security guide for the devs. :)

We would encourage you to check it out with the folks from graphql-core.

Why not do this yourself? It's a great issue to raise there and you have more knowledge on the matter than I do.

continuous-security-testing.md

Would it be ok to make the OS option top of the list? We are OS project so it feels only good to also point people to OS options first. :)

[LMaxence]

Hello @rafalp, I just made the change you wanted me to :)

graphql.security is the first item in the list we shared

[rafalp]

Thank you for contributing this.