Topic: JWT tokens in SPA + Web API
Now there is very popular approach SPA with Web API on . Accordingly I think already there is a settled approach to safety. Time is used API, JWT tokens. From everything that I subtracted on the Internet, the following approach appears: to the user it is produced jwt a token which is stored in http only . Since API in other this domain is installed that it could be sent with request. Since it is subject CSFR it is in addition used double submit the approach, i.e. in addition special which also registers in . All is correct-whether it, or can still any moments is? We use Angular 4, i.e. theoretically from XSS a site very well , can and it is not necessary then with , and simply to store a token in local storage?