Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

How do you disable XSRF checking in Jira 8.x

When using a reverse proxy (F5 LTM + APM Portal Access resource), there are consistent post from the client via rest and each response from the Jira server is a 403 resulting in a failed XSRF check.  Looking at all of the GET and POST, I see a jsessionid and csrf token but for some reason the XSRF check still fails based on the Wireshark captures on the server side.

I have attempted the no-check header option with no success and not sure what else to do.  Any insight is greatly appreciated.

1 answer

1 accepted

0 votes
Answer accepted

Issue resolved based on the article (REST API calls and User-Agent headers) below but a little more info for anyone that may run into this in the future.  If using LTM only for load balancing purposes, I am able to successfully able to access and authenticate to the Jira webpage and the functionality is great.

Once I introduced LTM + APM I began to see 403s (XSRF check failed) when the client sent a POST.  This occurred whether I was just using APM to authenticate to a pool member or using a portal access resource.  Due to these errors, images would not load when viewing projects and other items within Jira.

Jira1.png

After reviewing the article regarding User-Agent headers for API calls, I created a local traffic policy to remove the User-Agent header from all POST HTTP methods.  (Note, this can be done via iRule or local traffic policy)

Jira2.png

Then reviewing a capture on the Jira server, you will see all POST's, no longer have the User-Agent header included and this does not include any other HTTP method.

Jira3.png

As a result, loading the same page that resulted in the XSRF check failed error, now load.

Jira4.png

https://confluence.atlassian.com/jirakb/rest-api-calls-with-a-browser-user-agent-header-may-fail-csrf-checks-802591455.html

Suggest an answer

Log in or Sign up to
This widget could not be displayed.
TAGS
Community showcase
Published in Data Center

Architect your Atlassian Data Center Application (Jira, Confluence, Bitbucket) in Azure

Hello folks! To the member of organizations who are still running their Atlassian applications on the server, we are on the side of the bridge, and if we need to sail the boat with confidence either...

445 views 0 11
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you