Jenkinsdevops~5 mins

CSRF protection in Jenkins - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

CSRF protection stops bad websites from tricking Jenkins into doing things without permission. It keeps your Jenkins safe by making sure requests come from trusted users only.

When you want to prevent attackers from making unauthorized changes to Jenkins jobs or settings.

When you expose Jenkins to the internet and want to protect it from cross-site attacks.

When you use Jenkins APIs or scripts that require secure access.

When multiple users share the same Jenkins server and you want to ensure actions are intentional.

When you want to comply with security best practices for web applications.

Commands

Starts Jenkins server with default settings including CSRF protection enabled by default.

Terminal

java -jar jenkins.war

Expected OutputExpected

Running from: /home/user/jenkins.war INFO: Jenkins is fully up and running

Requests a CSRF crumb token from Jenkins to use in POST requests for protection.

Terminal

curl -X GET http://localhost:8080/crumbIssuer/api/xml -u admin:admin123

Expected OutputExpected

<defaultCrumbIssuer><crumb>abc123def456</crumb><crumbRequestField>.crumb</crumbRequestField></defaultCrumbIssuer>

→

-X GET - Use GET method to request the crumb token

→

-u admin:admin123 - Authenticate with Jenkins using username and password

Triggers a Jenkins job build using the CSRF crumb token in the header to pass protection.

Terminal

curl -X POST http://localhost:8080/job/example-job/build -u admin:admin123 -H ".crumb: abc123def456"

Expected OutputExpected

Started build #1

→

-H ".crumb: abc123def456" - Include CSRF crumb token in request header

Uses Jenkins CLI to check current user identity, confirming authentication and CSRF protection in place.

Terminal

java -jar jenkins-cli.jar -s http://localhost:8080/ -auth admin:admin123 who-am-i

Expected OutputExpected

Authenticated as: admin

→

-auth admin:admin123 - Authenticate CLI commands

Key Concept

If you remember nothing else from this pattern, remember: Jenkins uses a crumb token to verify requests and prevent CSRF attacks.

Common Mistakes

Trying to send POST requests to Jenkins API without including the CSRF crumb token.

Jenkins rejects these requests to protect against CSRF, causing failures.

Always request a crumb token first and include it in your POST request headers.

Disabling CSRF protection in Jenkins configuration to avoid errors.

This exposes Jenkins to security risks and attacks.

Keep CSRF protection enabled and use crumb tokens properly.

Using incorrect crumb header name or value in API requests.

Jenkins will not recognize the token and reject the request.

Use the exact crumbRequestField name Jenkins provides and the correct crumb value.

Summary

Start Jenkins which has CSRF protection enabled by default.

Request a crumb token before making POST API calls to Jenkins.

Include the crumb token in the header of your POST requests to pass CSRF checks.

Use Jenkins CLI with authentication to interact securely with Jenkins.