Environment
- CloudBees CI (CloudBees Core)
- CloudBees CI (CloudBees Core) on modern cloud platforms - Managed controller
- CloudBees CI (CloudBees Core) on modern cloud platforms - Operations Center
- CloudBees CI (CloudBees Core) on traditional platforms - Client controller
- CloudBees CI (CloudBees Core) on traditional platforms - Operations Center
- CloudBees Jenkins Enterprise
- CloudBees Jenkins Enterprise - Managed controller
- CloudBees Jenkins Enterprise - Operations Center
- CloudBees Jenkins Platform - Client controller
- CloudBees Jenkins Platform - Operations Center
- CloudBees Jenkins Distribution
- Jenkins LTS
Issue
-
CSRF is not available in the UI.
-
CSRF is enabled by default.
Resolution
As explained in Upgrading to Jenkins LTS 2.222.x :
Jenkins will automatically enable CSRF protection with the default crumb issuer if it was disabled before. The ability to not have CSRF protection enabled has been deprecated and removed from the UI.
Currently, to be able to disable the functionality, it is required to use the parameter -Dhudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION=true
on startup to disable CSRF protection.
WARNING
Deactivating CSRF might expose your instance to security issues. Make sure to have your security team reviewing the change.
0 Comments