Jira 7 rest api: XSRF check failed for post issue with application/json

Hi,

I trying to create an issue via JIRA 7 Reast API but creation is failed with message "XSRF check failed"

Please see attached screenshot:

 

jira-rest.png

According documentation (here https://confluence.atlassian.com/bitbucketserver/how-to-update-your-add-on-779302412.html#Howtoupdateyouradd-on-XSRFProtectionenabledbydefault and here: https://confluence.atlassian.com/display/KB/Cross+Site+Request+Forgery%28CSRF%29+protection+changes+in+Atlassian+Rest)

if i understood correctly, xsrf check should not performs for post requests with Content-Type: application/json But I get the eroror 403 with message "XSRF check failed".

Also I tryed to add header X-Atlassian-Token: no-check and there are no any effect.

This behavior is actual for JIRA 7. There is no this issue in the previous versions.

Can you please clarify why "XSRF check failed" occured for post requests with Content-Type: application/json? May be something wrong on my requests or JIRA configuration?

Thanks.

 

5 answers

I was a bit baffled as I noticed the REST call worked with Chrome, but not with Firefox, no matter which Plugin I used (not even editing the call with F12).

After some testing I found the solution:
It turns out to be that the REST API has problems with the default User-Agent String of Firefox, e.g. (Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0)

Overwrite the User-Agent String with some dummy value, and it will work smile

postDataFirefox.png

Thanks for the post.

I found this solution worked with JQuery ajax call to the Bamboo Rest API as well.

The ajax function would work properly in IE but Firefox and Chrome returned the error "403 XSRF check failed"

this should be fixed! is there a bug for this open? this is rediculous! it did cost me always half a day - and is defenitly depending on the agent string -> this should not be the case

also there are misguiding information about no-check vs nocheck...

You are right, Ives. In order for this to be fixed, I have reported a Bug. As I do not have permission to create the bug, I reported it to atlassian support and they will open the bug.


As soon as I have the issue ID I'll post the link to the bug for upvoting.

After having contacted Atlassian Support to raise a bug:

  1. Atlassian does not consider this as a bug, so no bug will be opened.
  2. This (mis-)behaviour has been documented in the Jira Knowledge Base and users will have to live with the workaround of clearing the user-agent header:
    https://confluence.atlassian.com/jirakb/rest-api-calls-with-a-browser-user-agent-header-may-fail-csrf-checks-802591455.html

 

Thanks a lot, it works!

HI all,

I am new to dev, and i am facing the same issue when sending ajax  POST to createissue in JIRA, How should i remove User-Agent header in ajax request. 

It seems, it is firefox related issue. Becuse issues creation is successful via other REST clients.

or it is depending on the agent string...

0 votes

header X-Atlassian-Token: no-check should work. Are you sure you are sending it correctly?

Yes, I think it is correct usage: 

jira-rest.png

Hello Mikhail,

 

have you found a solution for your problem, because I have the same issue and I would really appreciate it if you could share your solution with me.

 

Sincerely Tobias

I am having the same issue when using the REST API, if you found a solution can you please share it with the community?

Regards,

Mircea

Following thread, having the same issue.

I resolved this problem just adding an extra line to my VBA code (the one in bold), not sure this is helpful as this thread is not VBA related. It sets the "Origin" to your JIRA URL:

.setRequestHeader "X-Atlassian-Token", "nocheck"
.setRequestHeader "Origin", "https://amptjira01.sa1.mer-csn.com:8443/"
.setRequestHeader "Content-Type", "multipart/form-data; boundary=" & sBOUNDARY
.setRequestHeader "Authorization", "Basic " 
.setRequestHeader "Set-Cookie", sCookie

The "Origin" header set to base url of JIRA solved it for me. Thank you.

Hi! I am facing the same problem, but I am unable to set Origin. Chrome refuses saying "Refused to set unsafe header "Origin""

Any idea how to solve this problem?

The Header should be "X-Atlassian-Token: nocheck"

Hi all, with JSON it looks like this to create an issue in JIRA via REST request:

{"Post Jjira Issue":{"method":"POST","url":"http://...yourjiraurl.../rest/api/2/issue/","body":"{    "fields":{  "project":  { "key": "...yourjiraprojectkey..."    }, "summary": "No REST for the Wicked.", "description": "Creating of an issue using key for project and name for issue type using the REST API", "issuetype": {   "name": "Bug"   }}}","overrideMimeType":false,"headers":[["Authorization","Basic ...yourbase64loginstring..."],["Content-Type","application/json"],["User-Agent","xx"],["X-Atlassian-Token","nocheck"]]}}

 

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Feb 13, 2019 in Jira

Make your Atlassian Cloud products more secure: our NEW admin security guide

Hey admins! I’m Dave, Principal Product Manager here at Atlassian working on our cloud platform and security products. Cloud security is a moving target. As you adopt more products, employees consta...

528 views 0 12
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you