I’ve recently added jwt authentication to my website because frontend of my site is completely decoupled from backend.
What I haven’t thought of is that I could use wp_nonce instead of jwt – create nonce on backend, store it on frontend and send it with every request till it expires.
What drawbacks does wp nonce method have vs jwt method?
Also, nonces are used to secure wordpress from csrf for example.
Is there any way to secure rest api from csrf, other than setting cors rules correctly (to allow only frontend domain?