Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Add groovy example

...

To protect against this class of attacks, go to "Manage Jenkins" > "Configure Global Security" and select "Prevent Cross Site Request Forgery exploits." This option is enabled by default in new installations starting Jenkins 2.x, but if you are still on 1.x or upgrading existing installations to 2.x, this option is off by default.

Or with groovy:

Code Block
languagegroovy
titlecsrf.groovy
import hudson.security.csrf.DefaultCrumbIssuer
import jenkins.model.Jenkins

def instance = Jenkins.instance
instance.setCrumbIssuer(new DefaultCrumbIssuer(true))
instance.save()

Gotchas

  • If you are using nginx as a reverse proxy in front of Jenkins, you need an extra system property on Jenkins "-Dhudson.security.csrf.requestfield=Jenkins-Crumb". See JENKINS-23793 for more details
  • If you have scripts and other programs that access Jenkins via REST API, they can be impacted. See its CSRF section for more information about how to update those scripts.