I have a public React JS website which makes a request to my Node server using CORS (Only allowing the domain of my website). My website just fetches GraphQL queries from the frontend. But my Node server code do have GraphQL mutations like adding or deleting content. So, does this make my database insecure even though the CORS allows only my website which has no mutations?
The same-origin policy and CORS are only enforced by web browsers, and even then they can be disabled by individual users. You need to implement proper authentication and authorization for your server application in order to prevent unauthorized access to restricted fields like those on your Mutation type or other fields that may contain private or sensitive data that should not be exposed to all users.