Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How do you disable XSRF checking in Jira 8.x

Steve Lyons
Steve Lyons July 13, 2021

When using a reverse proxy (F5 LTM + APM Portal Access resource), there are consistent post from the client via rest and each response from the Jira server is a 403 resulting in a failed XSRF check.  Looking at all of the GET and POST, I see a jsessionid and csrf token but for some reason the XSRF check still fails based on the Wireshark captures on the server side.

I have attempted the no-check header option with no success and not sure what else to do.  Any insight is greatly appreciated.

Answer
Watch
Like Be the first to like this
2158 views

1 answer

1 accepted

Suggest an answer

Log in or Sign up to answer
0 votes
Answer accepted
Steve Lyons
Steve Lyons July 17, 2021

Issue resolved based on the article (REST API calls and User-Agent headers) below but a little more info for anyone that may run into this in the future.  If using LTM only for load balancing purposes, I am able to successfully able to access and authenticate to the Jira webpage and the functionality is great.

Once I introduced LTM + APM I began to see 403s (XSRF check failed) when the client sent a POST.  This occurred whether I was just using APM to authenticate to a pool member or using a portal access resource.  Due to these errors, images would not load when viewing projects and other items within Jira.

Jira1.png

After reviewing the article regarding User-Agent headers for API calls, I created a local traffic policy to remove the User-Agent header from all POST HTTP methods.  (Note, this can be done via iRule or local traffic policy)

Jira2.png

Then reviewing a capture on the Jira server, you will see all POST's, no longer have the User-Agent header included and this does not include any other HTTP method.

Jira3.png

As a result, loading the same page that resulted in the XSRF check failed error, now load.

Jira4.png

https://confluence.atlassian.com/jirakb/rest-api-calls-with-a-browser-user-agent-header-may-fail-csrf-checks-802591455.html

Reply
groups-icon
Data Center
TAGS
AUG Leaders

Atlassian Community Events

    See all events