REST API calls with a browser User-Agent header may fail CSRF checks

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

Problem

Specifying a Browser User-Agent header in a REST API call makes it fail to be executed. Example:

1 curl -D- -u admin:admin -X POST -H "Content-Type: application/json" -d @"P:\UTIL\script\rest.json" http://localhost:8705/jira/rest/api/2/issue -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36"

Diagnosis

From the log, the following WARN is thrown:

1 2016-02-03 22:25:15,125 http-nio-8705-exec-15 WARN admin 1345x6598x1 1jbuio 0:0:0:0:0:0:0:1 /rest/api/2/issue [c.a.p.r.c.security.jersey.XsrfResourceFilter] Additional XSRF checks failed for request: http://localhost:8705/jira/rest/api/2/issue , origin: null , referrer: null , credentials in request: true , allowed via CORS: false

This is known to affect The RESTClient Firefox plugin. This is because Firefox plugins, unlike Chrome and Safari plugins, do not include an Origin header with a plugin origin.

This works in Postman where Access-Control-Allow-Origin is seen by the browser.

Cause

Recent changes in Atlassian REST mean that some browser requests may be blocked because the origin of the request is not trusted.

More information can be found in Cross Site Request Forgery(CSRF) protection changes in Atlassian Rest.

Solution

Resolution

  1. Since REST API doesn't require a User-Agent header, removing the header works.

  2. Alternatively, adding an Origin or Referrer header to the call that specifies the same origin or a whitelisted one also works:

    1 curl -D- -u admin:admin -X POST -H "Origin: https://dc.andy.com" -H "Content-Type: application/json" -d @"P:\UTIL\script\rest.json" https://dc.andy.com/jira/rest/api/2/issue -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36"
Updated on April 8, 2025
Platform
Data Center only
Product
Jira Software Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community