XSRF check failed when calling Cloud APIs
Platform Notice: Cloud Only - This article only applies to Atlassian products on the cloud platform.
Problem
requests are failing with the error, XSRF check failed,
Diagnosis
Atlassian Cloud REST API are protected from Cross Site Request Forgery (XSRF/CSRF) attacks for security reasons. For this reason, requests made from other systems may be rejected with a 403 status code when they originate from outside of the Atlassian Cloud, as shown below.
1
2
3
4
5
6
7
$ curl -u admin:admin -X POST -i "https://xxxx.atlassian.net/example/api/action?username=testUser"
HTTP/1.1 403 Forbidden
Date: Fri, 06 May 2016 06:11:15 GMT
...
XSRF check failed. More information at https://confluence.atlassian.com/x/DhpJMQIn this example, we have attempted to perform an operation as admin, which has failed due to XSRF protection.
Resolution
To call protected APIs from external systems you can add the X-Atlassian-Token header to each request, setting the value to no-check. Adding this header to a request bypasses the server-side XSRF check and allows the request to be fulfilled.
1
2
3
4
5
6
$ curl -u admin:admin -X POST -i "https://xxxx.atlassian.net/example/api/action?username=testUser" -H "X-Atlassian-Token: no-check"
HTTP/1.1 200 OK
Date: Fri, 06 May 2016 06:13:31 GMT
...Note that this is only available for requests made by command line tools or external systems, not browser requests. This is because the Cross Origin Resource Sharing specification does not allow JavaScript loaded in third party websites to set arbitrary request headers.
How to call protected REST APIs from third party websites
It is not possible to call protected APIs from third party websites as this would pose a security risk.
Was this helpful?