I have a use-case, idea to consult. Let say supposedly we have an ordinary non-single page. We want to really on JWT and at the same time don't use cookies – resign from using cookies whatsoever. It is a good idea to append bearer to every request dynamically? User clicks a link and a js event is fired which appends the bearer token in headers.
I am asking because more and more often I see single page apps placed, embedded, tangled into classic non-single page apps. JWT have really a big potential but mixing cookies and JWT is not very clean and error prone in my opinion. We once again must deal with CSRF so… have a CSRF token in JWT and the JWT in cookie.
The above solution let us deal only with JWF tokens – so this simplifies the security battle. If some one is not logged-in the JWT will be not appended.
But am I missing something in this concept or is this solid?
Sorry, but browsers do not allow header changes.