https://confluence.atlassian.com/bitbucketserverkb/xsrf-security-token-missing-779171343.html describes my problem pretty well, but none of the solutions are working.
This is a three-node Bitbucket Data Center system, behind a Netscaler load balancer, and the BITBUCKETSESSIONID cookie is getting set -- that I can see with the browser's tools.
Lines like this appear in the atlassian-bitbucket.log files:
2020-12-02 11:53:10,497 WARN [http-nio-7990-exec-1] admin @BL40E5x713x8x3 1d7b6ia 10.82.0.10 "POST /rest/analytics/1.0/publish/bulk HTTP/1.1" c.a.p.r.c.s.j.XsrfResourceFilter Additional XSRF checks failed for request: http://cigfsgit.runwaynine.com:443/rest/analytics/1.0/publish/bulk , origin: https://cigfsgit.runwaynine.com , referrer: https://cigfsgit.runwaynine.com/admin , credentials in request: true , allowed via CORS: false
The load balancer is redirecting HTTP requests to HTTPS, the secure attribute isn't set in bitbucket.properties, and this is a new installation, so there's no "jvmRoute" set.
Hi Chris,
I'm seeing
http://cigfsgit.runwaynine.com:443/rest/analytics/1.0/publish/bulk
that looks like a typo to me - check both the Base URL you configured in the Bitbucket Server admin UI, as well as your settings for server.scheme in bitbucket.properties, which should be set to https, and server.secure needs to be set to true.
Cheers,
Christian
Premier Support Engineer
Atlassian
Yes, the base URL is configured wrong (http instead of https), but I cannot change it, because trying to submit the form to change it causes the XSRF error to happen.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.