Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Jira 7 rest api: XSRF check failed for post issue with application/json

Mikhail Baksheev
Mikhail Baksheev
Contributor
January 21, 2016

Hi,

I trying to create an issue via JIRA 7 Reast API but creation is failed with message "XSRF check failed"

Please see attached screenshot:

 

jira-rest.png

According documentation (here https://confluence.atlassian.com/bitbucketserver/how-to-update-your-add-on-779302412.html#Howtoupdateyouradd-on-XSRFProtectionenabledbydefault and here: https://confluence.atlassian.com/display/KB/Cross+Site+Request+Forgery%28CSRF%29+protection+changes+in+Atlassian+Rest)

if i understood correctly, xsrf check should not performs for post requests with Content-Type: application/json But I get the eroror 403 with message "XSRF check failed".

Also I tryed to add header X-Atlassian-Token: no-check and there are no any effect.

This behavior is actual for JIRA 7. There is no this issue in the previous versions.

Can you please clarify why "XSRF check failed" occured for post requests with Content-Type: application/json? May be something wrong on my requests or JIRA configuration?

Thanks.

 

Answer
Watch
Like # people like this
56386 views

10 answers

1 accepted

15 votes
Answer accepted
Leonard Chew
Leonard Chew
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 12, 2016

I was a bit baffled as I noticed the REST call worked with Chrome, but not with Firefox, no matter which Plugin I used (not even editing the call with F12).

After some testing I found the solution:
It turns out to be that the REST API has problems with the default User-Agent String of Firefox, e.g. (Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0)

Overwrite the User-Agent String with some dummy value, and it will work smile

postDataFirefox.png

View More Comments
Carl Weiss
Carl Weiss
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
August 22, 2016

Thanks for the post.

I found this solution worked with JQuery ajax call to the Bamboo Rest API as well.

The ajax function would work properly in IE but Firefox and Chrome returned the error "403 XSRF check failed"

Like # people like this
Murali
Murali September 19, 2016

It works!

Like
Ives Laaf
Ives Laaf June 22, 2017

this should be fixed! is there a bug for this open? this is rediculous! it did cost me always half a day - and is defenitly depending on the agent string -> this should not be the case

also there are misguiding information about no-check vs nocheck...

Like # people like this
Leonard Chew
Leonard Chew
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 23, 2017

You are right, Ives. In order for this to be fixed, I have reported a Bug. As I do not have permission to create the bug, I reported it to atlassian support and they will open the bug.


As soon as I have the issue ID I'll post the link to the bug for upvoting.

Like
Leonard Chew
Leonard Chew
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 29, 2017

After having contacted Atlassian Support to raise a bug:

  1. Atlassian does not consider this as a bug, so no bug will be opened.
  2. This (mis-)behaviour has been documented in the Jira Knowledge Base and users will have to live with the workaround of clearing the user-agent header:
    https://confluence.atlassian.com/jirakb/rest-api-calls-with-a-browser-user-agent-header-may-fail-csrf-checks-802591455.html

 

Like
bigantal
bigantal
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
August 4, 2017

Thanks a lot, it works!

Like
jefin
jefin
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
February 13, 2019

HI all,

I am new to dev, and i am facing the same issue when sending ajax  POST to createissue in JIRA, How should i remove User-Agent header in ajax request. 

Like Sachin Pakale likes this
Sachin Pakale
Sachin Pakale
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
July 4, 2019

Did you find the answer by now? I am facing the same issue.

Like
ensemblebd
ensemblebd
Contributor
November 30, 2019

Unbelievable fix. Thank you!!!! from 2019.
Bitbucket Server behind a reverse proxy exhibits this exact problem..
Several unanswered community questions over this.

Like # people like this
Prashant B
Prashant B June 2, 2021

Thank you, you have really saved me 1 hour of head cracking... I set this .SetRequestHeader "User-Agent", "dummyValue" in my excel VBA and it works. Kudos

Like
Reply
2 votes
David Chou
David Chou
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
July 28, 2016

The Header should be "X-Atlassian-Token: nocheck"

Reply
2 votes
Jobin Kuruvilla [Adaptavist]
Jobin Kuruvilla [Adaptavist]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 21, 2016

header X-Atlassian-Token: no-check should work. Are you sure you are sending it correctly?

View More Comments
Mikhail Baksheev
Mikhail Baksheev
Contributor
January 21, 2016

Yes, I think it is correct usage: 

jira-rest.png

Like Mikhail Kosenko likes this
Tobias Dauenhauer
Tobias Dauenhauer April 21, 2016

Hello Mikhail,

 

have you found a solution for your problem, because I have the same issue and I would really appreciate it if you could share your solution with me.

 

Sincerely Tobias

Like
MR2001
MR2001
Contributor
June 13, 2016

I am having the same issue when using the REST API, if you found a solution can you please share it with the community?

Regards,

Mircea

Like
David Christens
David Christensen
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
August 24, 2016

Following thread, having the same issue.

Like
MR2001
MR2001
Contributor
August 24, 2016

I resolved this problem just adding an extra line to my VBA code (the one in bold), not sure this is helpful as this thread is not VBA related. It sets the "Origin" to your JIRA URL:

.setRequestHeader "X-Atlassian-Token", "nocheck"
.setRequestHeader "Origin", "https://amptjira01.sa1.mer-csn.com:8443/"
.setRequestHeader "Content-Type", "multipart/form-data; boundary=" & sBOUNDARY
.setRequestHeader "Authorization", "Basic " 
.setRequestHeader "Set-Cookie", sCookie

Like # people like this
Dmitry Andrejev
Dmitry Andrejev
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 27, 2016

The "Origin" header set to base url of JIRA solved it for me. Thank you.

Like
vamshi81
vamshi81 July 11, 2017

Hi! I am facing the same problem, but I am unable to set Origin. Chrome refuses saying "Refused to set unsafe header "Origin""

Any idea how to solve this problem?

Like
Reply
1 vote
Mikhail Baksheev
Mikhail Baksheev
Contributor
January 26, 2016

It seems, it is firefox related issue. Becuse issues creation is successful via other REST clients.

View More Comments
Ives Laaf
Ives Laaf June 22, 2017

or it is depending on the agent string...

Like
Reply
0 votes
Francesco R
Francesco R
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 11, 2021

I'm just out of this issue. For my experience it wasn't a problem related to the browser. I had XSRF check failed both with Firefox and Chrome.
I was trying to attach a file to an issue with rest API.
Using Python or curl it worked. But using axios, inside the plugin, was creating me a lot of problems.
I tried all the suggested solutions. It's not possible to change "User-Agent": as @[deleted] said browers prevent this. After countless attempts I succeeded in attaching file with these lines of code.

 

var attachheaders = { headers: { 
                                 'X-Atlassian-Token': 'no-check',
                                 'Content-Type': 'multipart/form-data'
                               }
                     };

var attachrest = '/rest/api/latest/issue/'+this.issueKey+'/attachments';
var attachdata = new FormData();
attachdata.append('file', this.attachedFile);
axios.post( attachrest, attachdata, attachheaders
            ).then(response => {
               console.log(response);
               if (response.status == 200) {
                  // do something here
               }
            }).catch(error => {
               console.log(error.response);
            }).finally(() => {
               // do something here
            });


Inserting a comment I had a 400 error, and logging error on the console I noted that the real error was due to the data block bad formatted.
The header is different and also the data block.
So the correct code (using axios) is (for my experience):


var commentrest = '/rest/api/latest/issue/'+this.issueKey+'/comment';
var commentdata = {'body' : 'MY NEW COMMENT'};
var commentheaders = { headers: { 
                                  'X-Atlassian-Token': 'no-check',
                                  'Content-Type': 'application/json'
                                }
                     };
axios.post(commentrest, commentdata, commentheaders
          ).then(response => {
              // etc etc.

 

If I well remember in comment headers the 'X-Atlassian-Token': 'no-check' is useless but I am using it the same.
I hope this helps. Just a my opinion about Atlassian example on api rest. Maybe some more examples in addition to simple curl command line could be more useful. 

Reply
0 votes
Bernard Tai
Bernard Tai
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
January 1, 2021

+1 issue with getting error "XSRF check failed". This issue is only present when using Chrome browser (87.0.4280.88 on OSX) to post javascript request to Atlassian Jira API. Example request https://digitaloperative.atlassian.net/rest/api/3/search 

Not an issue for Safari or Firefox

View More Comments
Bernard Tai
Bernard Tai
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
January 11, 2021

As of Jan 11 2021, also an issue on Safari and Firefox. 

Like
Reply
0 votes
Idan Arbel
Idan Arbel
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
September 26, 2020

I'm still having this isssue, I'm writing a figma plugin which runs in the browser, and i'm getting an XSRF check failed request response when making an api post

Reply
0 votes
Bernhard Gruenewaldt
Bernhard Gruenewaldt
Contributor
May 3, 2019

So I ran into this issue while writing an App and for me two things solved the error

1. If proxying the request: Send the actual hostName of the HTTPS Proxy

2. Do NOT send the "User-Agent" Header.

View More Comments
guru
guru
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
November 13, 2019

Hey, thanks for posting what worked for you!

1. Could you clarify what you mean by sending the actual hostName?  Send it how, in what attribute? 

2. How did you avoid sending the "User-Agent" header?  My impression is that modern browsers prevent this these days.  When I try, I get errors in Chrome: 'Refused to set unsafe header "User-Agent"'.

Like natasha_kozhina likes this
Reply
0 votes
Tormod Haugene
Tormod Haugene
Contributor
March 21, 2019

It is also possible to whitelist any number of domains in Jira, so that they bypass XFRS security.

This issue illustrates how to do that:

https://jira.atlassian.com/browse/JRASERVER-59551

Reply
0 votes
Boris Lux
Boris Lux
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
August 30, 2016

Hi all, with JSON it looks like this to create an issue in JIRA via REST request:

{"Post Jjira Issue":{"method":"POST","url":"http://...yourjiraurl.../rest/api/2/issue/","body":"{    "fields":{  "project":  { "key": "...yourjiraprojectkey..."    }, "summary": "No REST for the Wicked.", "description": "Creating of an issue using key for project and name for issue type using the REST API", "issuetype": {   "name": "Bug"   }}}","overrideMimeType":false,"headers":[["Authorization","Basic ...yourbase64loginstring..."],["Content-Type","application/json"],["User-Agent","xx"],["X-Atlassian-Token","nocheck"]]}}

 

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events