Would I need CSRF if using JWT?

221 views Asked by At

I have setup a single page website that uses JWT authentication for user login. It uses angularjs and ui-router to navigate pages.

Would I need CSRF protection as well or could I just use JWT tokens to protect the admin only areas?

1

There are 1 answers

0
MvdD On

Single page applications normally allow a user to log on and use the resulting JWT token to call REST APIs with bearer scheme authentication.

The loading of the application skeleton pages (HTML/JavaScript/CSS etc) is typically not secured (as these files contain no sensitive data). The browser does not automatically add bearer tokens to page requests.

If you want to protect your HTML and JavaScript pages, you could use cookie based authentication, as cookies are automatically added to the requests by the browser.