Jira 7 rest api: XSRF check failed for post issue with application/json

Mikhail Baksheev January 21, 2016

Hi,

I trying to create an issue via JIRA 7 Reast API but creation is failed with message "XSRF check failed"

Please see attached screenshot:

 

jira-rest.png

According documentation (here https://confluence.atlassian.com/bitbucketserver/how-to-update-your-add-on-779302412.html#Howtoupdateyouradd-on-XSRFProtectionenabledbydefault and here: https://confluence.atlassian.com/display/KB/Cross+Site+Request+Forgery%28CSRF%29+protection+changes+in+Atlassian+Rest)

if i understood correctly, xsrf check should not performs for post requests with Content-Type: application/json But I get the eroror 403 with message "XSRF check failed".

Also I tryed to add header X-Atlassian-Token: no-check and there are no any effect.

This behavior is actual for JIRA 7. There is no this issue in the previous versions.

Can you please clarify why "XSRF check failed" occured for post requests with Content-Type: application/json? May be something wrong on my requests or JIRA configuration?

Thanks.

 

10 answers

1 accepted

15 votes
Answer accepted
Leonard Chew
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 12, 2016

I was a bit baffled as I noticed the REST call worked with Chrome, but not with Firefox, no matter which Plugin I used (not even editing the call with F12).

After some testing I found the solution:
It turns out to be that the REST API has problems with the default User-Agent String of Firefox, e.g. (Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0)

Overwrite the User-Agent String with some dummy value, and it will work smile

postDataFirefox.png

Carl Weiss August 22, 2016

Thanks for the post.

I found this solution worked with JQuery ajax call to the Bamboo Rest API as well.

The ajax function would work properly in IE but Firefox and Chrome returned the error "403 XSRF check failed"

Like # people like this
Murali September 19, 2016

It works!

Ives Laaf June 22, 2017

this should be fixed! is there a bug for this open? this is rediculous! it did cost me always half a day - and is defenitly depending on the agent string -> this should not be the case

also there are misguiding information about no-check vs nocheck...

Like # people like this
Leonard Chew
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 23, 2017

You are right, Ives. In order for this to be fixed, I have reported a Bug. As I do not have permission to create the bug, I reported it to atlassian support and they will open the bug.


As soon as I have the issue ID I'll post the link to the bug for upvoting.

Leonard Chew
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 29, 2017

After having contacted Atlassian Support to raise a bug:

  1. Atlassian does not consider this as a bug, so no bug will be opened.
  2. This (mis-)behaviour has been documented in the Jira Knowledge Base and users will have to live with the workaround of clearing the user-agent header:
    https://confluence.atlassian.com/jirakb/rest-api-calls-with-a-browser-user-agent-header-may-fail-csrf-checks-802591455.html

 

bigantal August 4, 2017

Thanks a lot, it works!

jefin February 13, 2019

HI all,

I am new to dev, and i am facing the same issue when sending ajax  POST to createissue in JIRA, How should i remove User-Agent header in ajax request. 

Like Sachin Pakale likes this
Sachin Pakale July 4, 2019

Did you find the answer by now? I am facing the same issue.

ensemblebd November 30, 2019

Unbelievable fix. Thank you!!!! from 2019.
Bitbucket Server behind a reverse proxy exhibits this exact problem..
Several unanswered community questions over this.

Like # people like this
Prashant B June 2, 2021

Thank you, you have really saved me 1 hour of head cracking... I set this .SetRequestHeader "User-Agent", "dummyValue" in my excel VBA and it works. Kudos

2 votes
David Chou July 28, 2016

The Header should be "X-Atlassian-Token: nocheck"

2 votes
Jobin Kuruvilla [Adaptavist]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
January 21, 2016

header X-Atlassian-Token: no-check should work. Are you sure you are sending it correctly?

Mikhail Baksheev January 21, 2016

Yes, I think it is correct usage: 

jira-rest.png

Like Mikhail Kosenko likes this
Tobias Dauenhauer April 21, 2016

Hello Mikhail,

 

have you found a solution for your problem, because I have the same issue and I would really appreciate it if you could share your solution with me.

 

Sincerely Tobias

MR2001 June 13, 2016

I am having the same issue when using the REST API, if you found a solution can you please share it with the community?

Regards,

Mircea

David Christensen August 24, 2016

Following thread, having the same issue.

MR2001 August 24, 2016

I resolved this problem just adding an extra line to my VBA code (the one in bold), not sure this is helpful as this thread is not VBA related. It sets the "Origin" to your JIRA URL:

.setRequestHeader "X-Atlassian-Token", "nocheck"
.setRequestHeader "Origin", "https://amptjira01.sa1.mer-csn.com:8443/"
.setRequestHeader "Content-Type", "multipart/form-data; boundary=" & sBOUNDARY
.setRequestHeader "Authorization", "Basic " 
.setRequestHeader "Set-Cookie", sCookie

Like # people like this
Dmitry Andrejev
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
November 27, 2016

The "Origin" header set to base url of JIRA solved it for me. Thank you.

vamshi81 July 11, 2017

Hi! I am facing the same problem, but I am unable to set Origin. Chrome refuses saying "Refused to set unsafe header "Origin""

Any idea how to solve this problem?

1 vote
Mikhail Baksheev January 26, 2016

It seems, it is firefox related issue. Becuse issues creation is successful via other REST clients.

Ives Laaf June 22, 2017

or it is depending on the agent string...

0 votes
Francesco R
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
March 11, 2021

I'm just out of this issue. For my experience it wasn't a problem related to the browser. I had XSRF check failed both with Firefox and Chrome.
I was trying to attach a file to an issue with rest API.
Using Python or curl it worked. But using axios, inside the plugin, was creating me a lot of problems.
I tried all the suggested solutions. It's not possible to change "User-Agent": as @[deleted] said browers prevent this. After countless attempts I succeeded in attaching file with these lines of code.

 

var attachheaders = { headers: { 
'X-Atlassian-Token': 'no-check',
'Content-Type': 'multipart/form-data'
}
};

var attachrest = '/rest/api/latest/issue/'+this.issueKey+'/attachments';
var attachdata = new FormData();
attachdata.append('file', this.attachedFile);
axios.post( attachrest, attachdata, attachheaders
).then(response => {
console.log(response);
if (response.status == 200) {
// do something here
}
}).catch(error => {
console.log(error.response);
}).finally(() => {
  // do something here
});


Inserting a comment I had a 400 error, and logging error on the console I noted that the real error was due to the data block bad formatted.
The header is different and also the data block.
So the correct code (using axios) is (for my experience):


var commentrest = '/rest/api/latest/issue/'+this.issueKey+'/comment';
var commentdata = {'body' : 'MY NEW COMMENT'};
var commentheaders = { headers: {
                              'X-Atlassian-Token': 'no-check',
                            'Content-Type': 'application/json'
  }
};
axios.post(commentrest, commentdata, commentheaders
  ).then(response => {
// etc etc.

 

If I well remember in comment headers the 'X-Atlassian-Token': 'no-check' is useless but I am using it the same.
I hope this helps. Just a my opinion about Atlassian example on api rest. Maybe some more examples in addition to simple curl command line could be more useful. 

0 votes
Bernard Tai January 1, 2021

+1 issue with getting error "XSRF check failed". This issue is only present when using Chrome browser (87.0.4280.88 on OSX) to post javascript request to Atlassian Jira API. Example request https://digitaloperative.atlassian.net/rest/api/3/search 

Not an issue for Safari or Firefox

Bernard Tai January 11, 2021

As of Jan 11 2021, also an issue on Safari and Firefox. 

0 votes
Idan Arbel September 26, 2020

I'm still having this isssue, I'm writing a figma plugin which runs in the browser, and i'm getting an XSRF check failed request response when making an api post

0 votes
Bernhard Gruenewaldt May 3, 2019

So I ran into this issue while writing an App and for me two things solved the error

1. If proxying the request: Send the actual hostName of the HTTPS Proxy

2. Do NOT send the "User-Agent" Header.

guru November 13, 2019

Hey, thanks for posting what worked for you!

1. Could you clarify what you mean by sending the actual hostName?  Send it how, in what attribute? 

2. How did you avoid sending the "User-Agent" header?  My impression is that modern browsers prevent this these days.  When I try, I get errors in Chrome: 'Refused to set unsafe header "User-Agent"'.

Like natasha_kozhina likes this
0 votes
Tormod Haugene March 21, 2019

It is also possible to whitelist any number of domains in Jira, so that they bypass XFRS security.

This issue illustrates how to do that:

https://jira.atlassian.com/browse/JRASERVER-59551

0 votes
Boris Lux August 30, 2016

Hi all, with JSON it looks like this to create an issue in JIRA via REST request:

{"Post Jjira Issue":{"method":"POST","url":"http://...yourjiraurl.../rest/api/2/issue/","body":"{    "fields":{  "project":  { "key": "...yourjiraprojectkey..."    }, "summary": "No REST for the Wicked.", "description": "Creating of an issue using key for project and name for issue type using the REST API", "issuetype": {   "name": "Bug"   }}}","overrideMimeType":false,"headers":[["Authorization","Basic ...yourbase64loginstring..."],["Content-Type","application/json"],["User-Agent","xx"],["X-Atlassian-Token","nocheck"]]}}

 

Suggest an answer

Log in or Sign up to answer