JWT in a cookie and a CSRF token aren’t duplicates, they protect against different things.

If your JWT is in a cookie, the browser will automatically send it on any request, even ones triggered by a malicious website. That means an attacker can make your browser perform actions as you without ever stealing your token. That’s classic CSRF.

A CSRF token fixes that because a malicious site can’t read it from your cookies, so it can’t include the correct value. Your backend rejects the forged request.

If a token is actually stolen (via XSS, malware, etc.), CSRF won’t help; that’s a different problem entirely.

In simple terms:

JWT cookie = your ID card

CSRF token = secret handshake

A malicious site can force your browser to use the ID, but not perform the handshake

That’s why both exist when using cookies for auth