To prevent users being tricked into unintentionally submitting malicious data, Bamboo uses XSRF security protection.

Atlassian supported plugins have been updated to support XSRF. XSRF protection is enabled by default for OnDemand customers and new customers for the downloadable version, however, if you are using a plugin that is not yet compatible with this security feature, you can disable it.

 Please carefully consider the security risks before you disable XSRF protection in your Bamboo installation.

Read more about XSRF (Cross Site Request Forgery) at wikipedia.

To configure XSRF protection:

  1. Click the  icon and select Bamboo admin.
  2. Choose Security settings in the left-hand panel.
  3. Choose Edit.
  4. Uncheck Enable XSRF protection to disable XSRF protection or check it to enable XSRF protection.
  5. Choose Save.

Related pages:

XSRF protection was introduced in Bamboo 5.3, and will be enabled automatically for all new and existing OnDemand users. Existing Bamboo users can enable XSRF protection by following the instructions above and checking Enable XSRF protection.

 Is my Bamboo server already protected against XSRF attacks?

Customers upgrading...XSRF protection enabled
an existing installation of Bamboo 5.2 and below to Bamboo 5.3 and above(error) Customers can enable XSRF protection using the instructions on this page
a new installation of Bamboo 5.3 and above(tick) XSRF protection enabled
Bamboo OnDemand (Bamboo 5.3)*(error) Customers can enable XSRF protection using the instructions on this page

*Note that future versions of Bamboo OnDemand will have XSRF protection enabled by default.


  • No labels

2 Comments

  1. Expertisecentrum Systeemontwikkeling

    Jan 04, 2014

    It seems XSRF protection behind a reverse proxy is not working out yet.

    Almost every request which was initiated through bamboo caused an Internal Server Error page to appear, complaining about the referer not being correct.

    1. David Black

      Jan 17, 2014

      That issue is  BAM-14147 - Getting issue details... STATUS  and it is caused by incorrectly configuring the proxy in-front of bamboo and tomcat.