CSRF Protection
Сross-Site Request Forgery (CSRF) protection in TeamCity implies a number of requirements on HTTP requests.
Since version 2020.1, TeamCity uses only CSRF tokens as a protection measure. In previous versions of TeamCity, Origin/Referer headers were also used.
To obtain a security token, send the GET https://your-server/authenticationTest.html?csrf request.
To pass the token, use the X-TC-CSRF-Token HTTP request header or the tc-csrf-token HTTP parameter.
When considering HTTP request safety from the TeamCity perspective, the following checks are sequentially made:
If an HTTP request is a non-modifying one (such as
GET), it is considered safe.If an HTTP request has a secure CSRF token either in the parameter or in the HTTP header and this token matches the one stored in user session, it is considered safe.
For non-browser API access, we recommend using token-based authentication.
To use CORS request, configure the CORS support as described here. This configuration will be enough for GET requests.
If you need to send POST/PUT/DELETE requests via CORS, you should obtain a CSRF token using the authenticationTest.html?csrf call, and then provide this token with your modifying HTTP requests.
If you face problems regarding CSRF protection in TeamCity, please contact our support.