Web app security concerns against XSS and CSRF

I'm building a website using django rest api and reactjs. I'm quite new to this and I've already read some articles and also questions here on different security issues with CSRF and XSS attacks.

Currently my design includes jwt bearer authentication header in addition to csrf token and both of them are stored in browser cookies. However the jwt token must be set manually in headers and not automatically by browsers.

Is this best practice?
Would it be okay to exclude my own front end domain from CSRF check since it's trusted?

I realize cookie authentication is a vulnerability to CSRF so I put the token in headers. On the other hand I know that XSS attack can gain access and read cookies so I guess this not the best approach.

Back to Top