Right now the GraphQL bundle uses minimal configuration, it could be improved with:

• automatically disabling introspection in prod (https://github.com/overblog/GraphQLBundle/blob/master/docs/security/disable_introspection.md)

I think we should also at least mention in the doc (or provide some defaults in prod)

• limiting the query complexity:
  https://github.com/overblog/GraphQLBundle/blob/master/docs/security/query-complexity-analysis.md

• limiting depth:
  https://github.com/overblog/GraphQLBundle/blob/master/docs/security/limiting-query-depth.md