Table of Contents
What is CSRF
Cross-Site Request Forgery (CSRF) is the security vulnerability in web applications which allows to perform actions in Jenkins from other websites. Its highly recommended to enable CSRF to protect Jenkins from cross site operations.
CSRF protection is the concept of creating crumb (token) for the Jenkins and the user must provide crumb every time to build or change the Jenkins configuration.
CSRF protection is enabled by default from Jenkins 2.222.x release and option to disable CSRF is deprecated in “Configure Global Security” from UI.
Enable CSRF Protection
To enable CSRF, Navigate to the below path and set the system property as below
Login to Jenkins -> Manage Jenkins -> Script Console
Crumb Issuer encodes the following information in the hash used as crumb:
- The username that the crumb was generated for
- The web session ID that the crumb was generated in
- The IP address of the user that the crumb was generated for
- A unique to this Jenkins instance
CSRF Protection is enabled by default, and you need crumb to run Jenkins configuration remotely.
Disable CSRF Protection
To disable CSRF, Navigate to the below path and set the system property as below
Login to Jenkins -> Manage Jenkins -> Script Console
How to run Jenkins jobs remotely
API Token
Requests authenticating Jenkins with an API token are exempt from CSRF protection.
Below is the webhook endpoint to trigger Jenkins job remotely from Bit Bucket.
Password
Requests authenticating Jenkins with a password are not exempted from CSRF protection. You must disable CSRF to manage the Jenkins configuration remotely.
Below is the webhook endpoint to trigger Jenkins job remotely from Bit Bucket.
Crumb
Scripted clients must request for crumb ID and remote requests to trigger build or changing configuration requires that the crumb be provided.
Jenkins API “crumbIssuer/api” used to issues crumb, run the below wget command to generate crumb
You must include crumb in the request to build or change Jenkins configuration.
Below is the POST request to trigger Jenkins job remotely.
Note: Requests authenticating Jenkins using username and API token are exempt from CSRF protection in Jenkins.
Video : https://www.youtube.com/watch?v=nqoVPCJGQOg
© Edwiki Trainings – Click HERE If you are interested to learn more on Cloud & DevOps stack.