Stop Using JWTs
(news.ycombinator.com)
1.
2.
CSRF protection without tokens or hidden form fields
(news.ycombinator.com)