Why should I put a CSRF token in a JWT token?

Question

I want to bring a doubt about JWT tokens and CSRF from the Stormpath post that explain the advantages and disadvantages of storing the JWT either in localStorage or cookies.

Answer 1

My understanding was this:

• Store JWT is an HTTPonly cookie.
• In that JWT, store a hashed version of an XSRF token.
• Send the client the XSRF token when they sign in so they can store it in local storage
• Later when the client sends requests, the JWT is automatically sent with each request via cookies and then you also send the XSRF token via a header or query variable and on the server side, re-hash to compare to what's in the JWT on the server

Your JWT is protected from being stolen in a XSS and you're protected from XSRF. XSS could still execute on your browser but could only do damage for that session in the browser. Ultimately, You couldn't stop someone from writing a really detailed script that just ran on your browser, so conventional safeties to protect from XSS are still needed by the web developer.