RELEASED: Public: May 28, 2025
Resolved issues
- “Enforce Cross Site Request Forgery exploits prevention settings” removed (BEE-24104)
-
The Enforce Cross Site Request Forgery exploits prevention settings option was removed from the Security Setting Enforcement section of Client controller security in Security settings of operations center. This option was misleading since Jenkins has enforced CSRF protection (except via system property escape hatch) since 2.222.1 in 2020, so this operations center feature was not contributing to controller security.
If this option was enabled in an operations center CasC bundle (crumbIssuer property of a securitySettingsEnforcement), that will lead to a CasC error at startup. The same now applies to the masterKillSwitch property, which has had no effect for some time but was not formally deprecated in CasC. This class of error can be temporarily downgraded to a warning using:
configuration-as-code: deprecated: warn
If the crumb issuer enforcement setting was being used to propagate an option of the default issuer, namely Enable proxy compatibility, to controllers, or to select an alternate issuer (there are none supported by CloudBees), similar behavior can be accomplished using CasC bundles or other general techniques of applying configuration uniformly across controllers.