It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Jira 7 rest api: XSRF check failed for post issue with application/json

Hi,

I trying to create an issue via JIRA 7 Reast API but creation is failed with message "XSRF check failed"

Please see attached screenshot:

 

jira-rest.png

According documentation (here https://confluence.atlassian.com/bitbucketserver/how-to-update-your-add-on-779302412.html#Howtoupdateyouradd-on-XSRFProtectionenabledbydefault and here: https://confluence.atlassian.com/display/KB/Cross+Site+Request+Forgery%28CSRF%29+protection+changes+in+Atlassian+Rest)

if i understood correctly, xsrf check should not performs for post requests with Content-Type: application/json But I get the eroror 403 with message "XSRF check failed".

Also I tryed to add header X-Atlassian-Token: no-check and there are no any effect.

This behavior is actual for JIRA 7. There is no this issue in the previous versions.

Can you please clarify why "XSRF check failed" occured for post requests with Content-Type: application/json? May be something wrong on my requests or JIRA configuration?

Thanks.

 

7 answers

I was a bit baffled as I noticed the REST call worked with Chrome, but not with Firefox, no matter which Plugin I used (not even editing the call with F12).

After some testing I found the solution:
It turns out to be that the REST API has problems with the default User-Agent String of Firefox, e.g. (Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0)

Overwrite the User-Agent String with some dummy value, and it will work smile

postDataFirefox.png

Thanks for the post.

I found this solution worked with JQuery ajax call to the Bamboo Rest API as well.

The ajax function would work properly in IE but Firefox and Chrome returned the error "403 XSRF check failed"

Like yang fei likes this

this should be fixed! is there a bug for this open? this is rediculous! it did cost me always half a day - and is defenitly depending on the agent string -> this should not be the case

also there are misguiding information about no-check vs nocheck...

Like Marwane Ksir likes this

You are right, Ives. In order for this to be fixed, I have reported a Bug. As I do not have permission to create the bug, I reported it to atlassian support and they will open the bug.


As soon as I have the issue ID I'll post the link to the bug for upvoting.

After having contacted Atlassian Support to raise a bug:

  1. Atlassian does not consider this as a bug, so no bug will be opened.
  2. This (mis-)behaviour has been documented in the Jira Knowledge Base and users will have to live with the workaround of clearing the user-agent header:
    https://confluence.atlassian.com/jirakb/rest-api-calls-with-a-browser-user-agent-header-may-fail-csrf-checks-802591455.html

 

Thanks a lot, it works!

HI all,

I am new to dev, and i am facing the same issue when sending ajax  POST to createissue in JIRA, How should i remove User-Agent header in ajax request. 

Like Sachin Pakale likes this

Did you find the answer by now? I am facing the same issue.

It seems, it is firefox related issue. Becuse issues creation is successful via other REST clients.

or it is depending on the agent string...

header X-Atlassian-Token: no-check should work. Are you sure you are sending it correctly?

Yes, I think it is correct usage: 

jira-rest.png

Hello Mikhail,

 

have you found a solution for your problem, because I have the same issue and I would really appreciate it if you could share your solution with me.

 

Sincerely Tobias

I am having the same issue when using the REST API, if you found a solution can you please share it with the community?

Regards,

Mircea

Following thread, having the same issue.

I resolved this problem just adding an extra line to my VBA code (the one in bold), not sure this is helpful as this thread is not VBA related. It sets the "Origin" to your JIRA URL:

.setRequestHeader "X-Atlassian-Token", "nocheck"
.setRequestHeader "Origin", "https://amptjira01.sa1.mer-csn.com:8443/"
.setRequestHeader "Content-Type", "multipart/form-data; boundary=" & sBOUNDARY
.setRequestHeader "Authorization", "Basic " 
.setRequestHeader "Set-Cookie", sCookie

Like Dominic Lagger likes this

The "Origin" header set to base url of JIRA solved it for me. Thank you.

Hi! I am facing the same problem, but I am unable to set Origin. Chrome refuses saying "Refused to set unsafe header "Origin""

Any idea how to solve this problem?

The Header should be "X-Atlassian-Token: nocheck"

Hi all, with JSON it looks like this to create an issue in JIRA via REST request:

{"Post Jjira Issue":{"method":"POST","url":"http://...yourjiraurl.../rest/api/2/issue/","body":"{    "fields":{  "project":  { "key": "...yourjiraprojectkey..."    }, "summary": "No REST for the Wicked.", "description": "Creating of an issue using key for project and name for issue type using the REST API", "issuetype": {   "name": "Bug"   }}}","overrideMimeType":false,"headers":[["Authorization","Basic ...yourbase64loginstring..."],["Content-Type","application/json"],["User-Agent","xx"],["X-Atlassian-Token","nocheck"]]}}

 

It is also possible to whitelist any number of domains in Jira, so that they bypass XFRS security.

This issue illustrates how to do that:

https://jira.atlassian.com/browse/JRASERVER-59551

So I ran into this issue while writing an App and for me two things solved the error

1. If proxying the request: Send the actual hostName of the HTTPS Proxy

2. Do NOT send the "User-Agent" Header.

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted in Portfolio for Jira

Program managers, we need your help! We want to learn about how you plan work for a team of teams

Hi community members, My name is Erika and I’m a product manager at Atlassian. We’re currently investigating how teams are planning work at the program level. We understand that every team in a tea...

145 views 0 5
Join discussion

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you