Django TypeScript

A practical JWT auth playbook for Django with TypeScript SPAs Features JWT Header Access, Cookie Refresh

This guide documents a battle‑tested pattern for web apps where the frontend is rendered by Django templates (or any SPA) and calls a REST API secured by JWTs. It assumes mainstream web‑app threat models and focuses on staying resilient against XSS and CSRF while keeping the UX smooth. Jwt Auth Playbook — Django + Type Script (header Access, Cookie Refresh)

“Header Access, Cookie Refresh — A practical JWT auth playbook for Django + TypeScript SPAs.” It covers:

  • Architecture & threat model
  • Exact cookie/CORS/CSRF settings to use
  • Backend endpoint contracts (login/refresh/logout)
  • Frontend behavior (single-flight refresh, one-retry rule, per-tab storage)
  • Security headers (CSP, etc.), ops hygiene, tests, pitfalls, and a print-ready checklist
1