Disabling referer network.http.sendRefererHeader leads to JIRA unable to work properly.

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

Problem

Changing the following option on firefox, about:config

  • network.http.sendRefererHeader=0

  • network.http.sendSecureXSiteReferrer=false

Will lead JIRA to behave abnormally and pages would not be able to load successfully. The following will be thrown in the response:

1 XSRF check failed

Diagnosis

Environment

  • Firefox Browser

Cause

The reason on why JIRA is using network.http.sendRefererHeader=2 due to it's related to Cross Site Request Forgery (CSRF) protection changes in Atlassian REST.

The KB article above explains the behavior, specifically the referrer is required in the web request due to CSRF protection. In addition to that, htttp://kb.mozillazine.org/Network.http.sendRefererHeader also has a warning about this :

Disabling Referer headers may cause some functionality on some sites to no longer work

Solution

Workaround

The only way to use network.http.sendRefererHeader=0 or1, is by disabling the CSRF. However, Atlassian does not recommend it as this will impact the security for JIRA.

Resolution

Do not perform any change towards the configuration, as CSRF is sufficient for the security needed on JIRA side

Updated on April 2, 2025
Platform
Data Center only
Product
Jira Software Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community