debugMinor
Enabling CSRF Protection prevents editing/adding parameters to jobs - intentional or bug?
Viewed 0 times
bugeditingaddingprotectionpreventsintentionaljobscsrfparametersenabling
Problem
Recently Jenkins has been putting out a number of security warnings related to CSRF Protection. We tried enabling it on our version of Jenkins (ver. 2.89.2) only to find that with it enabled you can no longer add or edit parameters on either freestyle or pipeline jobs via the GUI.
I did fairly extensive testing to narrow it down as the culprit, but I still don't understand why the option exists and is being recommended if it cripples Jenkins jobs.
Is this a feature or a bug? If it is a feature, why? What's to gain?
I did fairly extensive testing to narrow it down as the culprit, but I still don't understand why the option exists and is being recommended if it cripples Jenkins jobs.
Is this a feature or a bug? If it is a feature, why? What's to gain?
Solution
I believe this may be a result of running Jenkins behind a proxy, which can cause legitimate requests to perhaps appear to Jenkins as cross-site requests. From the official wiki:
If you are using nginx as a reverse proxy in front of Jenkins, you need an extra system property on Jenkins "-Dhudson.security.csrf.requestfield=Jenkins-Crumb". See JENKINS-23793 for more details
If you are using nginx as a reverse proxy in front of Jenkins, you need an extra system property on Jenkins "-Dhudson.security.csrf.requestfield=Jenkins-Crumb". See JENKINS-23793 for more details
Context
StackExchange DevOps Q#3145, answer score: 1
Revisions (0)
No revisions yet.