Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Next challenges

Recent achievements

  • Global
  • Personal


  • Give kudos
  • Received
  • Given


  • Global

Trophy case

Kudos (beta program)

Kudos logo

You've been invited into the Kudos (beta program) private group. Chat with others in the program, or give feedback to Atlassian.

View group

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Jira 7 rest api: XSRF check failed for post issue with application/json


I trying to create an issue via JIRA 7 Reast API but creation is failed with message "XSRF check failed"

Please see attached screenshot:



According documentation (here and here:

if i understood correctly, xsrf check should not performs for post requests with Content-Type: application/json But I get the eroror 403 with message "XSRF check failed".

Also I tryed to add header X-Atlassian-Token: no-check and there are no any effect.

This behavior is actual for JIRA 7. There is no this issue in the previous versions.

Can you please clarify why "XSRF check failed" occured for post requests with Content-Type: application/json? May be something wrong on my requests or JIRA configuration?



8 answers

1 accepted

12 votes
Answer accepted
Leonard Chew Community Leader Aug 12, 2016

I was a bit baffled as I noticed the REST call worked with Chrome, but not with Firefox, no matter which Plugin I used (not even editing the call with F12).

After some testing I found the solution:
It turns out to be that the REST API has problems with the default User-Agent String of Firefox, e.g. (Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0)

Overwrite the User-Agent String with some dummy value, and it will work :smile:


Thanks for the post.

I found this solution worked with JQuery ajax call to the Bamboo Rest API as well.

The ajax function would work properly in IE but Firefox and Chrome returned the error "403 XSRF check failed"

Like # people like this

this should be fixed! is there a bug for this open? this is rediculous! it did cost me always half a day - and is defenitly depending on the agent string -> this should not be the case

also there are misguiding information about no-check vs nocheck...

Like # people like this
Leonard Chew Community Leader Jun 23, 2017

You are right, Ives. In order for this to be fixed, I have reported a Bug. As I do not have permission to create the bug, I reported it to atlassian support and they will open the bug.

As soon as I have the issue ID I'll post the link to the bug for upvoting.

Leonard Chew Community Leader Jun 29, 2017

After having contacted Atlassian Support to raise a bug:

  1. Atlassian does not consider this as a bug, so no bug will be opened.
  2. This (mis-)behaviour has been documented in the Jira Knowledge Base and users will have to live with the workaround of clearing the user-agent header:


Thanks a lot, it works!

HI all,

I am new to dev, and i am facing the same issue when sending ajax  POST to createissue in JIRA, How should i remove User-Agent header in ajax request. 

Like Sachin Pakale likes this

Did you find the answer by now? I am facing the same issue.

Unbelievable fix. Thank you!!!! from 2019.
Bitbucket Server behind a reverse proxy exhibits this exact problem..
Several unanswered community questions over this.

Like # people like this

header X-Atlassian-Token: no-check should work. Are you sure you are sending it correctly?

Yes, I think it is correct usage: 


Like Mikhail Kosenko likes this

Hello Mikhail,


have you found a solution for your problem, because I have the same issue and I would really appreciate it if you could share your solution with me.


Sincerely Tobias

I am having the same issue when using the REST API, if you found a solution can you please share it with the community?



Following thread, having the same issue.

I resolved this problem just adding an extra line to my VBA code (the one in bold), not sure this is helpful as this thread is not VBA related. It sets the "Origin" to your JIRA URL:

.setRequestHeader "X-Atlassian-Token", "nocheck"
.setRequestHeader "Origin", ""
.setRequestHeader "Content-Type", "multipart/form-data; boundary=" & sBOUNDARY
.setRequestHeader "Authorization", "Basic " 
.setRequestHeader "Set-Cookie", sCookie

Like Dominic Lagger likes this

The "Origin" header set to base url of JIRA solved it for me. Thank you.

Hi! I am facing the same problem, but I am unable to set Origin. Chrome refuses saying "Refused to set unsafe header "Origin""

Any idea how to solve this problem?

The Header should be "X-Atlassian-Token: nocheck"

It seems, it is firefox related issue. Becuse issues creation is successful via other REST clients.

or it is depending on the agent string...

Hi all, with JSON it looks like this to create an issue in JIRA via REST request:

{"Post Jjira Issue":{"method":"POST","url":"http://...yourjiraurl.../rest/api/2/issue/","body":"{    "fields":{  "project":  { "key": "...yourjiraprojectkey..."    }, "summary": "No REST for the Wicked.", "description": "Creating of an issue using key for project and name for issue type using the REST API", "issuetype": {   "name": "Bug"   }}}","overrideMimeType":false,"headers":[["Authorization","Basic ...yourbase64loginstring..."],["Content-Type","application/json"],["User-Agent","xx"],["X-Atlassian-Token","nocheck"]]}}


It is also possible to whitelist any number of domains in Jira, so that they bypass XFRS security.

This issue illustrates how to do that:

So I ran into this issue while writing an App and for me two things solved the error

1. If proxying the request: Send the actual hostName of the HTTPS Proxy

2. Do NOT send the "User-Agent" Header.

Hey, thanks for posting what worked for you!

1. Could you clarify what you mean by sending the actual hostName?  Send it how, in what attribute? 

2. How did you avoid sending the "User-Agent" header?  My impression is that modern browsers prevent this these days.  When I try, I get errors in Chrome: 'Refused to set unsafe header "User-Agent"'.

Like natasha_kozhina likes this
0 votes

I'm still having this isssue, I'm writing a figma plugin which runs in the browser, and i'm getting an XSRF check failed request response when making an api post

Suggest an answer

Log in or Sign up to answer

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you