CSRF Protection
Сross-Site Request Forgery (CSRF) protection in TeamCity implies a number of requirements on HTTP requests.
Since version 2020.1, TeamCity uses only CSRF tokens as a protection measure. In previous versions of TeamCity, Origin/Referer
headers were also used.
To obtain a security token, send the GET https://your-server/authenticationTest.html?csrf
request.
To pass the token, use the X-TC-CSRF-Token
HTTP request header or the tc-csrf-token
HTTP parameter.
When considering HTTP request safety from the TeamCity perspective, the following checks are sequentially made:
If an HTTP request is a non-modifying one (such as
GET
), it is considered safe.If an HTTP request has a secure CSRF token either in the parameter or in the HTTP header and this token matches the one stored in user session, it is considered safe.
For non-browser API access, we recommend using token-based authentication.
To use CORS request, configure the CORS support as described here. This configuration will be enough for GET
requests.
If you need to send POST/PUT/DELETE
requests via CORS, you should obtain a CSRF token using the authenticationTest.html?csrf
call, and then provide this token with your modifying HTTP requests.
If you face problems regarding CSRF protection in TeamCity, please contact our support.
Thanks for your feedback!