Token-based auth invulnerable to CSRF attacks

[KristobalJunta]

Hello! First of all, thank you for the detailed article and all the effort put into providing both explanation and working examples. On the other hand, I think it is worth noting that for token-based auth (i.e. using HTTP headers to pass auth tokens) is not affected by CSRF attacks.

So, if opting for JWT (or any other header-based auth) as authentication method, adding CSRF protection does not provide any security benefits. Especially if API and SPA are cross-domain with a properly set up CORS.