What happens first in a request having both CSRF Token and JWT token, authentication or authorization?

This question came across my mind when I sent an ajax request from html to a backend django server and forgot to add a csrf token to the request payload and recieved this error.

403 error means that the request was unauthorized.
I know th… Continue reading What happens first in a request having both CSRF Token and JWT token, authentication or authorization?

When using double submit cookies as protection against csrf, does it matter where the random key is created?

I have a stateless backend and a spa-frontend. Except for the login request, all requests are secured by a jwt in the header.
Additionally the application should now be secured against csrf. Since the backend is stateless, we want to imple… Continue reading When using double submit cookies as protection against csrf, does it matter where the random key is created?