Configure Global Security

The Manage Jenkins >> Configure Global Security page allows a Jenkins administrator to enable, configure, or disable key security features that apply to the entire Jenkins environment.

In Jenkins 2.0 and later, many of the security options are enabled by default to ensure that Jenkins environments remained secure unless an administrator explicitly disables certain protections.

This section introduces fields available on the Configure Global Security page and provides links to other pages that explain the protections offered, ways to tweak the protection, and trade-offs for disabling some of them.

Jenkins Access Control

During installation, Jenkins creates the "admin" user who has full permissions to do everything and does not allow anonymous access.. Use the Security Realm and Authorization blocks on this page to safely add and manage additional users and grant them appropriate permissions. Note that, if the setup wizard is disabled on first launch, access may not be configured securely by default.

TCP Port for Inbound Agents

Inbound agents (such as Windows agents) require a TCP port. By default, this port is disabled. If your builds use inbound agents, you must configure this port. If your builds do not use inbound agents, you should leave this port disabled. Note also that it may be able to implement this functionality using SSH or the WebSocket Transport.

The Global Security Settings screen also includes fields to configure or enable filters that protect against common types of intrusion. By default, Jenkins is installed in "locked-down" mode so that all of these filters are turned on. You should leave these filters enabled unless they interfere with the jobs you need to run, although in many cases you can tweak the filter but still leave it enabled. In many cases, plugins and practices are available to reduce the security vulnerability of these features.

  • Markup Formatters:: Controls how HTML formatting in descriptions is handled. The default markup formatter renders text as entered (i.e. escaping HTML metacharacters). Some of these characters can be used maliciously, so the default is Plain text but plugins are available that allow some of the formatting to be rendered.

  • CSRF Protection:: CSRF is an exploit that enables an unauthorized third party to perform requests against a web application by impersonating another, authenticated user. In a Jenkins environment, a CSRF attack could allow a malicious actor to delete projects, alter builds, or modify the system configuration of the Jenkins instance. Jenkins protects from cross-site request forgery (CSRF) by default. This page explains how to work around any problems this may cause.

  • The Agent → Controller Access Control filter prevents an agent from sending malicious commands to the controller: See Agent → Controller Security for more information. It can not be disabled from the UI although the filter’s rules can be tweaked when necessary.



Was this page helpful?

Please submit your feedback about this page through this quick form.

Alternatively, if you don't wish to complete the quick form, you can simply indicate if you found this page helpful?

    


See existing feedback here.