Reminder: Enable CSRF Protection for Jenkins

[Daniel Beck]

We have received reports of attacks targeting Jenkins installations that do not have cross-site request forgery[1] (CSRF) protection enabled (which is the default on Jenkins 1.x). This is dangerous because it makes your Jenkins vulnerable to targeted attacks even if Jenkins is behind a firewall or on a private network, through specially crafted links sent via email, or other mediums, to unsuspecting users.

This is a reminder that you should enable this feature in your Jenkins instance, even if your instance if not directly exposed to the internet. See the Jenkins wiki[2] for more details about this feature. This is also a good opportunity to take a look again at the "Secure Jenkins" wiki page[3] which discusses various security-related topics, including this one.

If you come across malware that's exploiting Jenkins or find vulnerabilities, please report them by following the responsible disclosure process outlined on jenkins.io[4]. This allows us to resolve those issues before the method of attack becomes publicly known.

1: https://en.wikipedia.org/wiki/Cross-site_request_forgery
2: https://wiki.jenkins-ci.org/display/JENKINS/CSRF+Protection
3: https://wiki.jenkins-ci.org/display/JENKINS/Securing+Jenkins
4: https://jenkins.io/security