I have been researching about JWT and antiforgery token and I found this article from Microsoft where it indicates that in JWT the antiforgery validation is not necessary.
Is this correct or did I understand wrong?
I am developing an application with webapi and angular 6 with JWT
Antiforgery token protects from CSRF attacks, which are based on cookies.
As long as your JWT is manually attached to the selected requests (unlike cookies that are attached to every request in the browser) the CSRF is not possible anymore.
So, the answer is: it is correct for the tokens that are not sent in cookies.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With