Is DRF authtoken authorization secure enough for cross origin SPA?

When i read the Django Rest Framework authentication docs i get the impression that drf authtoken authorization was designed for secure clients like mobile apps, and not for browser single page applications.

But in the popular cookiecutter projects like cookiecutter-django that is what is used. Is it actually secure?

With jwt there is this diacussion of where to store them… Which kinda makes me to want to avoid them.

The only auth system designed for SPAs seems to be django-rest-knox, which seems to be based on drf authtokens. I think i will use them for the time being.

What is your secure api setup for crossorigin SPA clients? Or do you just avoid crossorigin?