Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Jira 7 rest api: XSRF check failed for post issue with application/json

Hi,

I trying to create an issue via JIRA 7 Reast API but creation is failed with message "XSRF check failed"

Please see attached screenshot:

 

jira-rest.png

According documentation (here https://confluence.atlassian.com/bitbucketserver/how-to-update-your-add-on-779302412.html#Howtoupdateyouradd-on-XSRFProtectionenabledbydefault and here: https://confluence.atlassian.com/display/KB/Cross+Site+Request+Forgery%28CSRF%29+protection+changes+in+Atlassian+Rest)

if i understood correctly, xsrf check should not performs for post requests with Content-Type: application/json But I get the eroror 403 with message "XSRF check failed".

Also I tryed to add header X-Atlassian-Token: no-check and there are no any effect.

This behavior is actual for JIRA 7. There is no this issue in the previous versions.

Can you please clarify why "XSRF check failed" occured for post requests with Content-Type: application/json? May be something wrong on my requests or JIRA configuration?

Thanks.

 

10 answers

1 accepted

15 votes
Answer accepted
Leonard Chew Community Leader Aug 12, 2016

I was a bit baffled as I noticed the REST call worked with Chrome, but not with Firefox, no matter which Plugin I used (not even editing the call with F12).

After some testing I found the solution:
It turns out to be that the REST API has problems with the default User-Agent String of Firefox, e.g. (Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0)

Overwrite the User-Agent String with some dummy value, and it will work smile

postDataFirefox.png

Thanks for the post.

I found this solution worked with JQuery ajax call to the Bamboo Rest API as well.

The ajax function would work properly in IE but Firefox and Chrome returned the error "403 XSRF check failed"

Like # people like this

this should be fixed! is there a bug for this open? this is rediculous! it did cost me always half a day - and is defenitly depending on the agent string -> this should not be the case

also there are misguiding information about no-check vs nocheck...

Like # people like this
Leonard Chew Community Leader Jun 23, 2017

You are right, Ives. In order for this to be fixed, I have reported a Bug. As I do not have permission to create the bug, I reported it to atlassian support and they will open the bug.


As soon as I have the issue ID I'll post the link to the bug for upvoting.

Leonard Chew Community Leader Jun 29, 2017

After having contacted Atlassian Support to raise a bug:

  1. Atlassian does not consider this as a bug, so no bug will be opened.
  2. This (mis-)behaviour has been documented in the Jira Knowledge Base and users will have to live with the workaround of clearing the user-agent header:
    https://confluence.atlassian.com/jirakb/rest-api-calls-with-a-browser-user-agent-header-may-fail-csrf-checks-802591455.html

 

Thanks a lot, it works!

HI all,

I am new to dev, and i am facing the same issue when sending ajax  POST to createissue in JIRA, How should i remove User-Agent header in ajax request. 

Like Sachin Pakale likes this

Did you find the answer by now? I am facing the same issue.

Unbelievable fix. Thank you!!!! from 2019.
Bitbucket Server behind a reverse proxy exhibits this exact problem..
Several unanswered community questions over this.

Like # people like this

Thank you, you have really saved me 1 hour of head cracking... I set this .SetRequestHeader "User-Agent", "dummyValue" in my excel VBA and it works. Kudos

header X-Atlassian-Token: no-check should work. Are you sure you are sending it correctly?

Yes, I think it is correct usage: 

jira-rest.png

Like Mikhail Kosenko likes this

Hello Mikhail,

 

have you found a solution for your problem, because I have the same issue and I would really appreciate it if you could share your solution with me.

 

Sincerely Tobias

I am having the same issue when using the REST API, if you found a solution can you please share it with the community?

Regards,

Mircea

Following thread, having the same issue.

I resolved this problem just adding an extra line to my VBA code (the one in bold), not sure this is helpful as this thread is not VBA related. It sets the "Origin" to your JIRA URL:

.setRequestHeader "X-Atlassian-Token", "nocheck"
.setRequestHeader "Origin", "https://amptjira01.sa1.mer-csn.com:8443/"
.setRequestHeader "Content-Type", "multipart/form-data; boundary=" & sBOUNDARY
.setRequestHeader "Authorization", "Basic " 
.setRequestHeader "Set-Cookie", sCookie

Like # people like this

The "Origin" header set to base url of JIRA solved it for me. Thank you.

Hi! I am facing the same problem, but I am unable to set Origin. Chrome refuses saying "Refused to set unsafe header "Origin""

Any idea how to solve this problem?

The Header should be "X-Atlassian-Token: nocheck"

It seems, it is firefox related issue. Becuse issues creation is successful via other REST clients.

or it is depending on the agent string...

Hi all, with JSON it looks like this to create an issue in JIRA via REST request:

{"Post Jjira Issue":{"method":"POST","url":"http://...yourjiraurl.../rest/api/2/issue/","body":"{    "fields":{  "project":  { "key": "...yourjiraprojectkey..."    }, "summary": "No REST for the Wicked.", "description": "Creating of an issue using key for project and name for issue type using the REST API", "issuetype": {   "name": "Bug"   }}}","overrideMimeType":false,"headers":[["Authorization","Basic ...yourbase64loginstring..."],["Content-Type","application/json"],["User-Agent","xx"],["X-Atlassian-Token","nocheck"]]}}

 

It is also possible to whitelist any number of domains in Jira, so that they bypass XFRS security.

This issue illustrates how to do that:

https://jira.atlassian.com/browse/JRASERVER-59551

So I ran into this issue while writing an App and for me two things solved the error

1. If proxying the request: Send the actual hostName of the HTTPS Proxy

2. Do NOT send the "User-Agent" Header.

Hey, thanks for posting what worked for you!

1. Could you clarify what you mean by sending the actual hostName?  Send it how, in what attribute? 

2. How did you avoid sending the "User-Agent" header?  My impression is that modern browsers prevent this these days.  When I try, I get errors in Chrome: 'Refused to set unsafe header "User-Agent"'.

Like natasha_kozhina likes this

I'm still having this isssue, I'm writing a figma plugin which runs in the browser, and i'm getting an XSRF check failed request response when making an api post

+1 issue with getting error "XSRF check failed". This issue is only present when using Chrome browser (87.0.4280.88 on OSX) to post javascript request to Atlassian Jira API. Example request https://digitaloperative.atlassian.net/rest/api/3/search 

Not an issue for Safari or Firefox

As of Jan 11 2021, also an issue on Safari and Firefox. 

I'm just out of this issue. For my experience it wasn't a problem related to the browser. I had XSRF check failed both with Firefox and Chrome.
I was trying to attach a file to an issue with rest API.
Using Python or curl it worked. But using axios, inside the plugin, was creating me a lot of problems.
I tried all the suggested solutions. It's not possible to change "User-Agent": as @GURU said browers prevent this. After countless attempts I succeeded in attaching file with these lines of code.

 

var attachheaders = { headers: { 
'X-Atlassian-Token': 'no-check',
'Content-Type': 'multipart/form-data'
}
};

var attachrest = '/rest/api/latest/issue/'+this.issueKey+'/attachments';
var attachdata = new FormData();
attachdata.append('file', this.attachedFile);
axios.post( attachrest, attachdata, attachheaders
).then(response => {
console.log(response);
if (response.status == 200) {
// do something here
}
}).catch(error => {
console.log(error.response);
}).finally(() => {
  // do something here
});


Inserting a comment I had a 400 error, and logging error on the console I noted that the real error was due to the data block bad formatted.
The header is different and also the data block.
So the correct code (using axios) is (for my experience):


var commentrest = '/rest/api/latest/issue/'+this.issueKey+'/comment';
var commentdata = {'body' : 'MY NEW COMMENT'};
var commentheaders = { headers: {
                              'X-Atlassian-Token': 'no-check',
                            'Content-Type': 'application/json'
  }
};
axios.post(commentrest, commentdata, commentheaders
  ).then(response => {
// etc etc.

 

If I well remember in comment headers the 'X-Atlassian-Token': 'no-check' is useless but I am using it the same.
I hope this helps. Just a my opinion about Atlassian example on api rest. Maybe some more examples in addition to simple curl command line could be more useful. 

Suggest an answer

Log in or Sign up to answer
TAGS

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you