Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

JWT and antiforgery token

I have been researching about JWT and antiforgery token and I found this article from Microsoft where it indicates that in JWT the antiforgery validation is not necessary.

Is this correct or did I understand wrong?

I am developing an application with webapi and angular 6 with JWT

like image 735
elchente23 Avatar asked Sep 29 '18 19:09

elchente23


1 Answers

Antiforgery token protects from CSRF attacks, which are based on cookies.

As long as your JWT is manually attached to the selected requests (unlike cookies that are attached to every request in the browser) the CSRF is not possible anymore.

So, the answer is: it is correct for the tokens that are not sent in cookies.

like image 68
smnbbrv Avatar answered Sep 22 '22 10:09

smnbbrv