How are Jira Server/DC public REST API endpoints protected against CSRF?

I am investigating CSRF measures that I should take for my marketplace app for Jira Server/DC. My app has both private REST API (that serves the app front end) and public REST API (that is provided for integrations).

While trying to understand how Jira does this, I became really confused. Jira Server/DC instances provide public REST API endpoints (as documented here) that can be consumed by remote services for integration.

It is obvious that the backend endpoints serving Jira UI are using XSRF tokens stored in cookies to protect against CSRF attacks. On the other hand, Jira public REST API endpoints are designed to be used by remote systems and there is no UI layer to send an XSRF token.

Atlassian documentation says and I quote:

Jira itself uses cookie-based authentication in the browser, so you can call REST from JavaScript on the page and rely on the authentication that the browser has established.

This makes me think that anyone with a valid JSESSIONID cookie can be a victim of a CSRF attack if he/she clicks on the wrong link on an attacker’s page.

I tried to do CSRF on Jira but I couldn’t.
I am not sure if I hit a well-designed protection measure or if I just failed to build the attack. While digging deep I was lost in XSRF annotations, content type limitations, and cors/no-cors headers.

Can someone explain if (and how) Jira public REST API endpoints are protected against CSRF?
And also, what do I need to do to protect the public REST API endpoints introduced by my app?

1 Like