2

Having the JWT token required for every request to the API, should I keep CSRF protection? Considering no one has access to other's jwtoken, of course.

If yes, how could I get the csrf token since I don't use django templates (I'm using Vue separately).

If not, is it ok to completely delete the CSRF middleware from settings?

Thanks in advance.

Improve this question

2 Answers 2

Reset to default
1

If you are storing the JWT in localStorage, you are not vulnerable to CSRF because localStorage cannot be accessed across domains. You should be aware, however, that there is debate as to whether it is wise to keep a JWT in localStorage since it can be stolen if you fall victim to XSS. The alternative is to store the token in a httpOnly cookie, in which case you must use CSRF protection.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

If you're using Django, csrf_token will be in your site cookies. You can access it from cookies and pass it along with the request.

Improve this answer

1 Comment

I'm not using django templates at all, I don't have cookies or sessions from django's middlewares. The authentication is simply just taking the jwt token from (default: api-token-auth) and storing it into localStorage for further requests, that's all, no cookies involved. But now when I'm using django-rest-framework views to post data, it requires me that csrf token (isn't jwt token enough already?)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.