Having the JWT token required for every request to the API, should I keep CSRF protection? Considering no one has access to other's jwtoken, of course.
If yes, how could I get the csrf token since I don't use django templates (I'm using Vue separately).
If not, is it ok to completely delete the CSRF middleware from settings?
Thanks in advance.
If you are storing the JWT in localStorage, you are not vulnerable to CSRF because localStorage cannot be accessed across domains. You should be aware, however, that there is debate as to whether it is wise to keep a JWT in localStorage since it can be stolen if you fall victim to XSS. The alternative is to store the token in a httpOnly cookie, in which case you must use CSRF protection.