Environment

CloudBees CI (CloudBees Core)
CloudBees CI (CloudBees Core) on modern cloud platforms - Managed controller
CloudBees CI (CloudBees Core) on modern cloud platforms - Operations Center
CloudBees CI (CloudBees Core) on traditional platforms - Client controller
CloudBees CI (CloudBees Core) on traditional platforms - Operations Center
CloudBees Jenkins Enterprise
CloudBees Jenkins Enterprise - Managed controller
CloudBees Jenkins Enterprise - Operations center
Jenkins LTS

Issue

CSRF is not available in the UI.
CSRF is enabled by default.

Resolution

As explained in Upgrading to Jenkins LTS 2.222.x :

Jenkins will automatically enable CSRF protection with the default crumb issuer if it was disabled before. The ability to not have CSRF protection enabled has been deprecated and removed from the UI.

Currently, to be able to disable the functionality, it is required to use the parameter -Dhudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION=true on startup to disable CSRF protection.

WARNING

Deactivating CSRF might expose your instance to security issues. Make sure to have your security team reviewing the change.

This article is part of our Knowledge Base and is provided for guidance-based purposes only. The solutions or workarounds described here are not officially supported by CloudBees and may not be applicable in all environments. Use at your own discretion, and test changes in a safe environment before applying them to production systems.