From 101bfdcb0f3f669ade9228747f21bcfa380b6780 Mon Sep 17 00:00:00 2001 From: Daniel Beck Date: Thu, 11 Dec 2025 15:51:50 +0100 Subject: [PATCH 1/3] Document removal of IP address from default crumb issuer --- content/doc/book/managing/system-properties.adoc | 4 ++++ content/doc/book/security/csrf-protection.adoc | 8 +++----- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/content/doc/book/managing/system-properties.adoc b/content/doc/book/managing/system-properties.adoc index 245b4964b4d0..dde75a304625 100644 --- a/content/doc/book/managing/system-properties.adoc +++ b/content/doc/book/managing/system-properties.adoc @@ -984,6 +984,8 @@ properties: since: 2.176.2 / 2.186 description: | Escape hatch for link:/security/advisory/2019-07-17/#SECURITY-626[SECURITY-626]. + Since Jenkins 2.TODO, this is the only part of the CSRF crumb that is tied to a user session/machine. + It is strongly recommended to remain `false`. - name: hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION tags: @@ -1731,11 +1733,13 @@ properties: tags: - escape hatch - feature + - obsolete def: | `false` since: 2.119 description: | `true` to enable crumb proxy compatibility when running the Setup Wizard for the first time. + This flag is unused since Jenkins 2.TODO, as the IP address is no longer part of the CSRF crumb. - name: jenkins.model.Jenkins.disableExceptionOnNullInstance tags: diff --git a/content/doc/book/security/csrf-protection.adoc b/content/doc/book/security/csrf-protection.adoc index 716d1a7b7253..31583469e82c 100644 --- a/content/doc/book/security/csrf-protection.adoc +++ b/content/doc/book/security/csrf-protection.adoc @@ -32,16 +32,14 @@ The _Default Crumb Issuer_ encodes the following information in the https://en.w * The user name that the crumb was generated for * The web session ID that the crumb was generated in -* The IP address of the user that the crumb was generated for * A https://en.wikipedia.org/wiki/Salt_(cryptography)[salt] unique to this Jenkins instance All of this information needs to match when a crumb is sent back to Jenkins for that submission to be considered valid. -The only supported option _Enable proxy compatibility_ removes information about the user IP address from the token. +NOTE: Before Jenkins 2.TODO, the IP address was optionally also included by default. +The option _Enable proxy compatibility_ could be used to remove information about the user IP address from the token. This can be useful when Jenkins is running behind a reverse proxy and a user's IP address as seen from Jenkins would regularly change. - -NOTE: The web session ID was added in Jenkins 2.176.2 and 2.186 to cause crumb to expire. -See link:/security/advisory/2019-07-17/#SECURITY-626[security advisory] and link:/doc/upgrade-guide/2.176/#SECURITY-626[upgrade guide]. +Since the web session ID provides stronger protection, this option was removed in Jenkins 2.TODO. Plugins may provide other crumb issuers that use other criteria to determine whether a crumb is valid. The plugin:strict-crumb-issuer[Strict Crumb Issuer] provides an alternative crumb issuer implementation that is more customizable. From 0efcb7afc27e546eb930b0c376b00c0689a43d0b Mon Sep 17 00:00:00 2001 From: Daniel Beck <1831569+daniel-beck@users.noreply.github.com> Date: Thu, 12 Mar 2026 11:04:10 +0100 Subject: [PATCH 2/3] Mention 2.543 --- content/doc/book/security/csrf-protection.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/doc/book/security/csrf-protection.adoc b/content/doc/book/security/csrf-protection.adoc index 31583469e82c..334689f72620 100644 --- a/content/doc/book/security/csrf-protection.adoc +++ b/content/doc/book/security/csrf-protection.adoc @@ -36,10 +36,10 @@ The _Default Crumb Issuer_ encodes the following information in the https://en.w All of this information needs to match when a crumb is sent back to Jenkins for that submission to be considered valid. -NOTE: Before Jenkins 2.TODO, the IP address was optionally also included by default. +NOTE: Before Jenkins 2.543, the IP address was optionally also included by default. The option _Enable proxy compatibility_ could be used to remove information about the user IP address from the token. This can be useful when Jenkins is running behind a reverse proxy and a user's IP address as seen from Jenkins would regularly change. -Since the web session ID provides stronger protection, this option was removed in Jenkins 2.TODO. +Since the web session ID provides stronger protection, this option was removed in Jenkins 2.543. Plugins may provide other crumb issuers that use other criteria to determine whether a crumb is valid. The plugin:strict-crumb-issuer[Strict Crumb Issuer] provides an alternative crumb issuer implementation that is more customizable. From 3588638075c1bbbe0c55225519651c723acc32b6 Mon Sep 17 00:00:00 2001 From: Daniel Beck <1831569+daniel-beck@users.noreply.github.com> Date: Thu, 12 Mar 2026 11:04:46 +0100 Subject: [PATCH 3/3] Mention 2.543 --- content/doc/book/managing/system-properties.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/doc/book/managing/system-properties.adoc b/content/doc/book/managing/system-properties.adoc index dde75a304625..4123892cecee 100644 --- a/content/doc/book/managing/system-properties.adoc +++ b/content/doc/book/managing/system-properties.adoc @@ -984,7 +984,7 @@ properties: since: 2.176.2 / 2.186 description: | Escape hatch for link:/security/advisory/2019-07-17/#SECURITY-626[SECURITY-626]. - Since Jenkins 2.TODO, this is the only part of the CSRF crumb that is tied to a user session/machine. + Since Jenkins 2.543, this is the only part of the CSRF crumb that is tied to a user session/machine. It is strongly recommended to remain `false`. - name: hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION @@ -1739,7 +1739,7 @@ properties: since: 2.119 description: | `true` to enable crumb proxy compatibility when running the Setup Wizard for the first time. - This flag is unused since Jenkins 2.TODO, as the IP address is no longer part of the CSRF crumb. + This flag is unused since Jenkins 2.543, as the IP address is no longer part of the CSRF crumb. - name: jenkins.model.Jenkins.disableExceptionOnNullInstance tags: