elchente23
Reputation: 183
JWT and antiforgery token
I have been researching about JWT and antiforgery token and I found this article from Microsoft where it indicates that in JWT the antiforgery validation is not necessary.
Is this correct or did I understand wrong?
I am developing an application with webapi and angular 6 with JWT
Upvotes: 8
Views: 3362
Answers (1)
smnbbrv
Reputation: 24581
Antiforgery token protects from CSRF attacks, which are based on cookies.
As long as your JWT is manually attached to the selected requests (unlike cookies that are attached to every request in the browser) the CSRF is not possible anymore.
So, the answer is: it is correct for the tokens that are not sent in cookies.
Upvotes: 15
Related Questions
- How to implement AntiForgery Token in Angular with NET 6
- Storing JWT token into HttpOnly cookies
- Jwt and ASP.NET CORE Authorization AspNetRoleClaims
- Anti forgery with token API and angular
- Enable Antiforgery Token with ASP.NET Core and JQuery
- ASP.NET Core API - login and anti-forgery token
- JWT token is not validated therefore it returns 401 unauthorized every time
- ASP.Net Core, Angular2 and token based authentication
- AntiForgery Token implementation in WebAPI+AngularJS app
- Implementing an Angular/MVC/WebAPI-friendly AntiForgery token