[JENKINS-61133] Github webhook override breaks CSRF exclusion

[jenkins-infra-bot]

If you have CSRF checking turned on in Global Security Settings:

 

And you have the Github webhook URL overridden in Jenkins Settings:

Then each webhook payload will hit a CSRF error:

I believe this is because the url /github-webhook is hardcoded in GitHubWebHookCrumbExclusion.java.

---

Originally reported by ewiner, imported from: Github webhook override breaks CSRF exclusion

• assignee: lanwen
• status: Open
• priority: Minor
• component(s): github-plugin
• resolution: Unresolved
• votes: 0
• watchers: 1
• imported: 2025-12-08

Raw content of original issue

If you have CSRF checking turned on in Global Security Settings:



 

And you have the Github webhook URL overridden in Jenkins Settings:



Then each webhook payload will hit a CSRF error:



I believe this is because the url /github-webhook is hardcoded in GitHubWebHookCrumbExclusion.java.

• environment: Jenkins 2.204.1 on Linux, Github plugin 1.29.5

3 attachments

• image-2020-02-18-13-35-59-338.png

  

• image-2020-02-18-13-36-51-430.png

  

• image-2020-02-18-13-38-47-192.png