Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

How do you disable XSRF checking in Jira 8.x

When using a reverse proxy (F5 LTM + APM Portal Access resource), there are consistent post from the client via rest and each response from the Jira server is a 403 resulting in a failed XSRF check.  Looking at all of the GET and POST, I see a jsessionid and csrf token but for some reason the XSRF check still fails based on the Wireshark captures on the server side.

I have attempted the no-check header option with no success and not sure what else to do.  Any insight is greatly appreciated.

1 answer

1 accepted

0 votes
Answer accepted

Issue resolved based on the article (REST API calls and User-Agent headers) below but a little more info for anyone that may run into this in the future.  If using LTM only for load balancing purposes, I am able to successfully able to access and authenticate to the Jira webpage and the functionality is great.

Once I introduced LTM + APM I began to see 403s (XSRF check failed) when the client sent a POST.  This occurred whether I was just using APM to authenticate to a pool member or using a portal access resource.  Due to these errors, images would not load when viewing projects and other items within Jira.


After reviewing the article regarding User-Agent headers for API calls, I created a local traffic policy to remove the User-Agent header from all POST HTTP methods.  (Note, this can be done via iRule or local traffic policy)


Then reviewing a capture on the Jira server, you will see all POST's, no longer have the User-Agent header included and this does not include any other HTTP method.


As a result, loading the same page that resulted in the XSRF check failed error, now load.


Suggest an answer

Log in or Sign up to answer

Atlassian Community Events