REST API request fails with "XSRF check failed"

Hi Folks,

We are currently developing a browser extension to create issues from specific web content.
Sending data to result in 403 -XSRF check failed

Some Information:

  • Chrome Browser
  • We use Basic Authentication with token.
  • We do see the token we use is valid ( shows token has been used)
  • Request “Origin” and “Referer” have the same base url.
  • calling the same endpoint with same data from curl works just fine.

I found several information/Topics about that error. But since we are in a browser environment, we can’t manipulate “User-Agent” header, which some people suggest

The code for the request looks like this:

return window.fetch(url, {
    method: 'POST',
    headers: {
        'Content-Type': 'application/json; charset=UTF-8',
        'Authorization': `Basic ${Base64.encode(`${mail}:${token}`)}`,
        'X-Atlassian-Token': 'no-check'
    body: JSON.stringify(data)
}).then(response => response.json()) 
  .catch(error => console.error(`Fetch Error =\n`, error));


Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36


"permissions": [

Happy about any help!


Further Investigation:

If i use to fire the call, all works fine. But if i set the User-Agent to the one my browser defined Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36 i get the same error again.

Hey Marco, Were you ever able to resolve this issue? Thanks.

After having a look at several places, did not find a solution. Then played around with headers and this worked for me.

I am injecting PUT messages to Jira Server… via Talend API tester (chrome)

User-Agent: dummyValue
Content-Type: application/json
Accept: application/json

When I modified these, it worked. no more XSRF check failed
I think it’s the user-agent that causes the issue.

Please accept this answer if this works for you.

1 Like

Hi, I know this is a very old issue but I just stumbled upon this problem as well and I thought I might be able to help people with the same issue. In our case, there were two possible solutions.

  • Change User Agents Header (Not possible as far as I know in Chrome)

  • Whitelist/Allowlist the origin domain in Jira. When you send a request to the Jira API your browser automatically populates the “origin” header. You need to add that value to the whitelist/allowlist in Jira. → See here Configuring the allowlist | Jira | Atlassian Documentation
    Type “Domain” should work.

See the issue documented by Atlassian:

REST API calls with a browser User-Agent header may fail CSRF checks | Jira | Atlassian Documentation