Topic: JWT tokens in SPA + Web API

Now there is very popular approach SPA with Web API on . Accordingly I think already there is a settled approach to safety. Time is used API,  JWT tokens. From everything that I subtracted on the Internet, the following approach appears: to the user it is produced jwt a token which is stored in http only . Since API  in other   this domain is installed that it could be sent with request. Since  it is subject CSFR it is in addition used double submit the approach, i.e. in addition special  which also registers in . All is correct-whether it, or can still any moments is? We use Angular 4, i.e. theoretically from XSS a site very well , can and it is not necessary then with  , and simply to store a token in local storage?