CSRF

Cross-site request forgery attacks attempt to perform requests against sites where the user is logged
in by tricking the user’s browser into sending a request from a different site. To accomplish this,
a specially crafted site (or item) must contain the URL to the target. A common example is an
<img> tag embedded in a malicious page with the src pointing to the attack’s target.

For instance:
<!-- This is embedded in another domain's site -->

<img src="http://target.site.com/add-user?user=name&grant=admin">

The above <img> tag will send a request to target.site.com every time the page that contains it
is loaded. If the user had previously logged in to target.site.com and the site used a cookie to
keep the session active, this cookie will be sent as well. If the target site does not implement any
CSRF mitigation techniques, the request will be handled as a valid request on behalf of the user.
JWTs, like any other client-side data, can be stored as cookies.

Short-lived JWTs can help in this case. Common CSRF mitigation techniques include special
headers that are added to requests only when they are performed from the right origin, per session
cookies, and per request tokens. If JWTs (and session data) are not stored as cookies, CSRF attacks
are not possible. Cross-site scripting attacks are still possible, though.