I recently read the use of jwt, and I also used jwt as single sign-on authentication in the small project I wrote, and the back end is nodejs. I"ve thought of the principles of csrf,csrf and jwt, and I know pretty much about it, but my question is, can CSRF be prevented by using the form of JWT? I now use postman to request my interface. If my token is not included in the header of postman (this token is the token returned to the front end after logging on to the page I am currently developing), it does show that token does not exist and does not return data. But I copied out my saved token in the localStorage of the browser and put it in the postman header to request, and it was successful. Isn"t it true that jwt can"t prevent CSRF? anyone can take the token that exists in the front end, and won"t it be ok with a request after taking it?
this question really bothers me. Please don"t hesitate to give me your advice.