Do I need CSRF token if I'm using Bearer JWT?

This is relevant but doesn't necessarily answer 100% of your question:

https://security.stackexchange.com/a/166798/149676

The short of it is that as long as authentication isn't automatic (typically provided by the browser) then you don't have to worry about CSRF protection. If your application is attaching the credentials via an Authorization header then the browser can't automatically authenticate the requests, and CSRF isn't possible. Therefore, I would re-word the quote from your article slightly: it isn't that Bearer Tokens are the best defense against CSRF attacks, but simply that CSRF is an attack vector that specifically attacks requests where the browser automatically provides authentication (typically cookies and basic authentication), and so CSRF doesn't matter if the browser can't authenticate you.

You should probably make sure and verify, server-side, that your application isn't silently falling back to cookie validation if the Bearer token is absent. I could see something like that squeaking into an application by accident, and since the cookies will get sent along whether you want them to or not, it could result in an inadvertent CSRF vulnerability on a page that is was "supposed" to be immune to CSRF.

As a result, I think both your questions one and two can be answered the same way. If you only use authentication via Bearer tokens and not via cookies, then there is no concern of CSRF vulnerability, and no extra steps are required for security.


Generally, CSRF happens when a browser automatically adds headers (i.e: Session ID within a Cookie), and then made the session authenticated. Bearer tokens, or other HTTP header based tokens that need to be added manually, would prevent you from CSRF.

Of course, but sort of off-topic, if you have a XSS vulnerability, an attacker could still access these tokens, but then it doesn't become a CSRF bug.


Previous answers are rock solid. I'll jump in here to provide a more context and little caveat. There are lots of ways to using JWT; session management is one of them. Although it presents a few drawbacks when dealing with timeouts and advanced requirements like re-authentication.

Also, I've seen JWT placed in Cookies. As other's have stated, CSRF protection doesn't come from using a JWT itself. It comes from submitting it as an Authorization header, using the Bearer [JWT] scheme.

Question 1: Will I add extra security if I'll add X-XSRF-Token header to each request and for example make the mechanism stateless by checking for that same value in JWT payload? (I've read about it in this thread)

If you are submitting it via XHR as an Authorization header, then no the extra X-XSRF-Token header will not add "extra" security.

Question 2: Do I need extra security efforts against CSRF taking all that I described?

Nope, your current setup is okay.

A while back, I compiled a web authentication techniques guide and their security properties (it also has a JWT part). Here is the final cheat sheet describing all methods in a compact form.