Due to some maintenance issues, this service has been switched in read-only mode, you can find more information about the why

and how to migrate your plugin documentation in this blogpost

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Overview

Cross site request forgery is a class of attack that forces an end user to execute unwanted actions on Jenkins. Because of the way this attack works, even Jenkins that's running inside a corporate firewall is vulnerable. A common way to exploit this is by spear phishing.

Enabling Protection

To protect against this class of attacks, go to "Manage Jenkins" > "Configure Global Security" and select "Prevent Cross Site Request Forgery exploits." This option is enabled by default in new installations starting Jenkins 2.x, but if you are still on 1.x or upgrading existing installations to 2.x, this option is off by default.

Gotchas

  • If you are using nginx as a reverse proxy in front of Jenkins, you need an extra system property on Jenkins "-Dhudson.security.csrf.requestfield=Jenkins-Crumb". See JENKINS-23793 for more details
  • If you have scripts and other programs that access Jenkins via REST API, they can be impacted. See its CSRF section for more information about how to update those scripts.
  • No labels