• Backend: Django / Django Rest Framework, would be hosted at GCP k8s
• Frontend: Angular, would be hosted at some CDN e.g Vercel
• Authentication: JWT (https://github.com/jazzband/djangorestframework-simplejwt)

The frontend and backend would have different domains. (could be on same domain but different sub-domains)

My flow:

• Get CSRF token (as a cookie) from an endpoint
• Attaches that token with any unsafe request as cookie as well as a header e.g X-CSRFToken with value that is mentioned in the cookie.
• Take credentials from client and pass it to login endpoint.
• Login endpoint returns an JWT access token inside response and refresh token as a httpOnly cookie.
• Store JWT access token in a private data or a function closure
• Any further requests would include
  • JWT access token as Authorization token value
  • CSRF cookie
  • CSRF cookie values as X-CSRFToken value

My question is, whether the flow seems okay from security standpoint CSRF/XSS and whether we really need CSRF? What about login CSRF, does the above covers it?

Edits

• Clarifications
  • I have overridden the obtain token endpoint (of simplejwt) to return refresh token not inside the response but as a cookie with httpOnly attribute set to true.
  • I have overridden the token refresh endpoint to expect the refresh token inside a cookie.

• Backend: Django / Django Rest Framework, would be hosted at GCP k8s
• Frontend: Angular, would be hosted at some CDN e.g Vercel
• Authentication: JWT (https://github.com/jazzband/djangorestframework-simplejwt)

The frontend and backend would have different domains. (could be on same domain but different sub-domains)

My flow:

• Get CSRF token (as a cookie) from an endpoint
• Attaches that token with any unsafe request as cookie as well as a header e.g X-CSRFToken with value that is mentioned in the cookie.
• Take credentials from client and pass it to login endpoint.
• Login endpoint returns an JWT access token inside response and refresh token as a httpOnly cookie.
• Store JWT access token in a private data or a function closure
• Any further requests would include
  • JWT access token as Authorization token value
  • CSRF cookie
  • CSRF cookie values as X-CSRFToken value

My question is, whether the flow seems okay from security standpoint CSRF/XSS and whether we really need CSRF? What about login CSRF, does the above covers it?

Edits

• Clarifications
  • I have overridden the obtain token endpoint (of simplejwt) to return refresh token not inside the response but as a cookie with httpOnly attribute set to true and path attribute set to that of token refresh endpoint.
  • I have overridden the token refresh endpoint to expect the refresh token inside a cookie.

• Backend: Django / Django Rest Framework, would be hosted at GCP k8s
• Frontend: Angular, would be hosted at some CDN e.g Vercel
• Authentication: JWT (https://github.com/jazzband/djangorestframework-simplejwt)

The frontend and backend would have different domains. (could be on same domain but different sub-domains)

My flow:

• Get CSRF token (as a cookie) from an endpoint
• Attaches that token with any unsafe request as cookie as well as a header e.g X-CSRFToken with value that is mentioned in the cookie.
• Take credentials from client and pass it to login endpoint.
• Login endpoint returns an JWT access token inside response and refresh token as a httpOnly cookie.
• Store JWT access token in a private data or a function closure
• Any further requests would include
  • JWT access token as Authorization token value
  • CSRF cookie
  • CSRF cookie values as X-CSRFToken value

My question is, whether the flow seems okay from security standpoint CSRF/XSS and whether we really need CSRF? What about login CSRF, does the above covers it?

• Backend: Django / Django Rest Framework, would be hosted at GCP k8s
• Frontend: Angular, would be hosted at some CDN e.g Vercel
• Authentication: JWT (https://github.com/jazzband/djangorestframework-simplejwt)

The frontend and backend would have different domains. (could be on same domain but different sub-domains)

My flow:

• Get CSRF token (as a cookie) from an endpoint
• Attaches that token with any unsafe request as cookie as well as a header e.g X-CSRFToken with value that is mentioned in the cookie.
• Take credentials from client and pass it to login endpoint.
• Login endpoint returns an JWT access token inside response and refresh token as a httpOnly cookie.
• Store JWT access token in a private data or a function closure
• Any further requests would include
  • JWT access token as Authorization token value
  • CSRF cookie
  • CSRF cookie values as X-CSRFToken value

My question is, whether the flow seems okay from security standpoint CSRF/XSS and whether we really need CSRF? What about login CSRF, does the above covers it?

Edits

• Clarifications
  • I have overridden the obtain token endpoint (of simplejwt) to return refresh token not inside the response but as a cookie with httpOnly attribute set to true.
  • I have overridden the token refresh endpoint to expect the refresh token inside a cookie.