Resolve XSRF Check Failure When Calling Cloud APIs
Platform Notice: Cloud Only - This article only applies to Atlassian apps on the cloud platform.
Summary
Requests are failing with the error, XSRF check failed.
Cause
For security reasons, the Atlassian Cloud REST API is protected from Cross-Site Request Forged (XSRF/CSRF) attacks. For this reason, requests made from other systems may be rejected with a 403 status code when they originate outside of the Atlassian Cloud, as shown below.
$ curl -u admin:admin -X POST -i "https://xxxx.atlassian.net/example/api/action?username=testUser"
HTTP/1.1 403 Forbidden
Date: Fri, 06 May 2016 06:11:15 GMT
...
XSRF check failed. More information at https://confluence.atlassian.com/x/DhpJMQIn this example, we have attempted to perform an operation as admin, which has failed due to XSRF protection.
How to call protected REST APIs
Using command line tools or external systems
Add the
X-Atlassian-Tokenheader to each request calling a protected APISet the value of the header to
no-check.Adding this header to a request bypasses the server-side XSRF check and allows the request to be fulfilled.
$ curl -u admin:admin -X POST -i "https://xxxx.atlassian.net/example/api/action?username=testUser" -H "X-Atlassian-Token: no-check"
HTTP/1.1 200 OK
Date: Fri, 06 May 2016 06:13:31 GMT
...ℹ️ Note: This is only available for requests made by command line tools or external systems, not browser requests. This is because the Cross Origin Resource Sharing specification does not allow JavaScript loaded in third party websites to set arbitrary request headers.
From third-party websites
It is not possible to call protected APIs from third-party websites as this would pose a security risk.
Was this helpful?