Jenkins comes with a CSRF protection feature that is enabled by default. One of the security checks carried out by this feature is a strict IP check on the source of the incoming HTTP/S requests. It is based on the client IP of the request and the value of the
In some environments, this check would fail and causes
No valid crumb was included in request. For example when a proxy is not preserving the client IP or the
X-FORWARDED-FOR header is set but mis-configured
For more information, have a look at the DefaultCrumbIssuer
In most cases, the problem is related to the proxy configuration. Ensure that:
the proxy preserves the client IP
X-FORWARDED-FORheader is properly set
A typical case is when Jenkins is running inside Kubernetes. If Jenkins is running in Kubernetes with an Ingress Controller that is backed by a NodePort / LoadBalancer service, make sure that this Service is configured with the
externalTrafficPolicy: Local so that it preserves the client IP.
Use API token for authentication since CSRF crumb is no longer required when authenticating using API token. It is no longer necessary to provide a CSRF crumb when sending an HTTP request with
Basic authentication that provides the authenticating user’s API token in place of a password. As described on Jenkins documentation.