Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Deleted user
0 / 0 points
badges earned

Your Points Tracker
  • Global
  • Feed

Badge for your thoughts?

You're enrolled in our new beta rewards program. Join our group to get the inside scoop and share your feedback.

Join group
Give the gift of kudos
You have 0 kudos available to give
Who do you want to recognize?
Why do you want to recognize them?
Great job appreciating your peers!
Check back soon to give more kudos.

Past Kudos Given
No kudos given
You haven't given any kudos yet. Share the love above and you'll see it here.

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Cannot add SSH Keys - XSRF Security Token Missing Edited

I can create projects, but I cannot add access keys to projects, or ssh keys to people.

I've already gone through all 6 options here:

I can recreate the error when I bypass my proxy (eliminating #1).

I can recreate the error when I set '', or simply remove '' from (eliminating #2).

I am not running any other applications on the same URL path (eliminating #3).

I am not using Bitbucket Data Center (eliminating #4).

I am starting with https, and continuing with https on all requests (eliminating #5).

I never had a jvmRoute property, nor can I find any property in any file (eliminating #6).

I've tried adding x-atlassian-token: no-check as a header with haproxy, and that didn't work.

I've tried looking for any way to disable xsrf security token checking on bitbucket, but there doesn't seem to be any option for it.

I've looked at all the logs, and don't see any xsrf related information anywhere.

On the first "add key", the URL seems the same.

When I click "Retry Operation", the URL changes to /mvc/xsrfNotification

When I click "Retry Operation" again, the URL changes to /mvc/null


I went so far as to decompile and edit the HttpSessionXsrfTokenGenerator class, and force hasValidToken to always return true:

public boolean hasValidToken(HttpServletRequest request) {
return true;

Despite this hard-forced override of any valid token check, I'm *still* getting:

XSRF Security Token Missing

Something tells me there's a deeper problem here than what the error message says.


When I manually hack the sal-core-4.4.0.jar, and com/atlassian/sal/core/xsrf/, I can disable the check and it works.  I haven't been able to trace exactly why it's failing there for adding ssh keys.

0 answers

Suggest an answer

Log in or Sign up to answer
Community showcase
Published in Bitbucket

New improvements to user management in Bitbucket Cloud 👥

Hey Community! We’re willing to wager that quite a few of you not only use Bitbucket, but administer it too. Our team is excited to share that we’ll be releasing improvements throughout this month of...

341 views 2 10
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you