Should I use CSRF when setting JWT token using cookie in Django?

I am developing an API back end with Django, that uses JWT tokens for authentication. After reading numerous articles on JWT authentication and security, I concluded that it is best to store the JWT refresh token using an HttpOnly cookie. I also read that when using setting cookies with the Django Rest Framework, you should use CSRF protection.

So...

1. Should I set a CSRF cookie when setting the JWT refresh token?

I implemented my own methods for setting the refresh_token cookie upon successful requests to the LoginView and RefreshView. If I do need to set the CSRF cookie, should I also set it on those same views and then validate it when the refresh token is used, for example, when refreshing and logging out?

Also...

2. How should I store the JWT access token?

I have a React front end and, at the moment, I am storing the access tokens in localStorage. Would it be better if I were to store the token in a global state, for example using Redux?

Forgive me if I don't know what I am talking about - my front-end knowledge is very limited.

Back to Top