Add missing answers

Author: carolstran

src/content/faq/General.md

@@ -5,7 +5,7 @@ category: General
 permalink: /faq/
 gettingStartedQuestions: Why should I use GraphQL?,Does GraphQL replace REST?,How can I learn GraphQL?,Is GraphQL a database language like SQL?,Is GraphQL only for React or JavaScript developers?
 generalQuestions: Is GraphQL frontend or backend?,Does GraphQL use HTTP?,What is a GraphQL client and why would I use one?,Where is the documentation for subscriptions?,Does GraphQL replace ORMs?,Is GraphQL owned by Facebook?,Who is behind GraphQL?,What is the GraphQL Foundation?
-bestPracticesQuestions: How does GraphQL affect my product’s performance?,Does GraphQL support offline usage?,What are the security concerns with GraphQL?,How can I set up authorization with GraphQL?,How does authentication work with GraphQL?,Is GraphQL the right fit for designing a microservice architecture?,How can I document my GraphQL API?
+bestPracticesQuestions: How does GraphQL affect my product’s performance?,Is GraphQL scalable?,Does GraphQL support offline usage?,What are the security concerns with GraphQL?,How can I set up authorization with GraphQL?,How does authentication work with GraphQL?,Is GraphQL the right fit for designing a microservice architecture?,How does versioning work in GraphQL?,How can I document my GraphQL API?
 specificationQuestions: What is the best way to follow specification releases?,How can I contribute to the GraphQL specification?
 frontendQuestions: Does GraphQL replace Redux or other state management libraries?
 ---
@@ -60,7 +60,11 @@ Both. GraphQL specifies how you can [exchange information between client and ser
 
 ## Does GraphQL use HTTP?
 
-<!-- TODO -->
+Yes, [GraphQL is typically served over HTTP](/learn/best-practices/#http). This is largely due to 
+
+More guidelines for how to set up a GraphQL server to operate over HTTP are available in our [Serving over HTTP](/learn/serving-over-http/) documentation. 
+
+While HTTP is the most common choice for client-server protocol, it’s not the only one. GraphQL is agnostic to the transport layer. So for example, you could use [WebSockets](https://developer.mozilla.org/en-US/docs/Web/API/WebSockets_API) for GraphQL subscriptions instead of HTTP to consume realtime data. 
 
 ## What is a GraphQL client and why would I use one?
 
@@ -106,7 +110,14 @@ You can find out more by visiting [foundation.graphql.org](https://foundation.gr
 
 ## How does GraphQL affect my product’s performance?
 
-<!-- TODO -->
+GraphQL is designed to be clean. Every field on every type has a focused, single-purpose function for resolving that value. Also, instead of trying to handle data parsing on the client, [GraphQL moves that logic to the server](/learn/best-practices/#server-side-batching-caching). As a result, there are some inherent performance benefits, such as minimizing over-fetching and generally making [fewer roundtrips to the server](/learn/queries/#fields) to retrieve your data.
+
+Some additional performance considerations should be taken into account when building out your GraphQL implementation, though. For example, it’s possible for a GraphQL service to be ‘chatty’ and repeatedly load data from your database. This is commonly solved by [implementing a batching technique](/learn/best-practices/#server-side-batching-caching) or [utilizing a tool like DataLoader](https://github.com/graphql/dataloader). 
+
+## Is GraphQL scalable?
+
+Yes, but only if you scale it. GraphQL comes with some [built-in performance boosts](#how-does-graphql-affect-my-product-s-performance) that help. Once you push it to production though, your team is responsible for scaling it across instances and monitoring performance.  
+
 
 ## Does GraphQL support offline usage?
 
@@ -116,7 +127,11 @@ You can find a list of GraphQL clients in various languages on our [Code page](/
 
 ## What are the security concerns with GraphQL?
 
-<!-- TODO -->
+Most of the security concerns associated with GraphQL are typical for any API or service. Think SQL injections, Denial of Service (DoS) attacks, someone abusing flawed authentication, etc. But there are also some attacks specific to GraphQL. For example, [batching attacks](https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html#batching-attacks) can occur as a result of GraphQL allowing you to batch multiple queries or requests for multiple object instances in a single network call. 
+
+No matter the concern, it’s important to be proactive. Fortunately, there are many approaches to securing your GraphQL server. Some of these approaches include using a timeout, setting a maximum depth for queries, and throttling queries based on the server time it needs to complete. 
+
+For an overview of common security concerns and how to address them, check out the [Security tutorial on How to GraphQL](https://www.howtographql.com/advanced/4-security/) and [OWASP’s GraphQL Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html).
 
 ## How can I set up authorization with GraphQL?
 
@@ -138,6 +153,14 @@ Yes, it can be. If you’re integrating GraphQL into your microservice architect
 
 There are many ways to create an API gateway. The benefit of using GraphQL is that you can take advantage of features like [caching](/learn/caching/), request budgeting, and planning out query schedules.
 
+## How does versioning work in GraphQL?
+
+There’s nothing that will prevent a GraphQL service from being versioned like any other REST API. That said, GraphQL inherently avoids versioning. 
+
+Instead, GraphQL provides the tools to continually build and evolve your schema. For example, GraphQL only returns the data that’s explicitly requested. This means that you can add new features (and all of the associated types and fields) without creating a breaking change.
+
+You can read more about [how versioning works in GraphQL](/learn/best-practices/#versioning) in our Best Practices section.
+
 ## How can I document my GraphQL API?
 
 One of the benefits of GraphQL is that it's inherently self-documenting. This means that when you use an interactive tool like [GraphiQL](https://github.com/graphql/graphiql), you’re able to explore what data is exposed by your GraphQL API. This includes the [fields](/learn/queries/#fields), [types](/learn/schema/#type-system), and more. You can also add a [description field](https://spec.graphql.org/draft/#sec-Documentation) to provide supplementary notes about your endpoint.