# Jenkins Server Security Hardening and Top 10 Issues > **Intro:** Jenkins is still widely used as a CI/CD control plane, but it becomes a high-value target the moment it can build untrusted code, store credentials, or deploy to production. This page focuses on defensive setup and operational hardening for a modern Jenkins controller. > > **Who this page is for** > > * Product Security engineers reviewing CI/CD platforms > * platform teams operating Jenkins > * engineering teams migrating from “it works” to “it is supportable and defensible” ## Why Jenkins is security-sensitive A Jenkins controller often has all of the following at once: * source code access; * build secrets and deployment credentials; * ability to run arbitrary build scripts; * artifact publishing permissions; * access to cloud accounts, clusters, or production environments. That makes Jenkins both a **business-critical delivery tool** and a **privileged security boundary**. If the controller is weak, the attacker does not need to compromise production directly. They can compromise the thing that ships to production. ## Recommended hardening order Use this order in real projects: 1. Put Jenkins behind a reverse proxy with TLS. 2. Turn on strict access control and remove anonymous access. 3. Use matrix-based authorization, not broad admin or developer access. 4. Stop running builds on the built-in node. 5. Harden agent-to-controller trust boundaries. 6. Review credentials usage and move long-lived secrets out where possible. 7. Lock down plugin installation and update process. 8. Restrict exposed ports and inbound agents. 9. Capture logs, audits, and backups. 10. Move configuration to JCasC so the setup is reproducible. *** ## Step-by-step hardening ### 1) Put Jenkins behind TLS and a reverse proxy **Why it matters** You want a stable external endpoint, TLS termination, request filtering, and a place to apply headers or IP allowlists. Jenkins can serve HTTP itself, but a reverse proxy is usually the cleaner production pattern. **Typical file to edit** * `/etc/nginx/conf.d/jenkins.conf` or `/etc/nginx/sites-available/jenkins.conf` **Example NGINX reverse proxy** See: [`snippets/ci/jenkins/nginx-jenkins.conf`](https://github.com/D3One/Product-Security-Gitbook/blob/main/snippets/ci/jenkins/nginx-jenkins.conf) **Typical Linux flow** ```bash sudo apt-get update sudo apt-get install -y nginx sudo cp snippets/ci/jenkins/nginx-jenkins.conf /etc/nginx/sites-available/jenkins.conf sudo ln -s /etc/nginx/sites-available/jenkins.conf /etc/nginx/sites-enabled/jenkins.conf sudo nginx -t sudo systemctl reload nginx ``` **Good practice** * expose Jenkins only on an internal interface if the reverse proxy is on the same host; * prefer corporate SSO or a dedicated identity provider in front of Jenkins if your environment supports it; * add IP allowlists for admin-only access paths where possible. *** ### 2) Verify the controller startup and network settings Modern Jenkins exposes important startup parameters at launch. In package installs these are often controlled through systemd overrides or environment files. **Common files** * `/etc/systemd/system/jenkins.service.d/override.conf` * `/etc/default/jenkins` on some Debian-based setups * Docker or Helm values if Jenkins runs in containers or Kubernetes **Example systemd override** See: [`snippets/ci/jenkins/systemd-override.conf`](https://github.com/D3One/Product-Security-Gitbook/blob/main/snippets/ci/jenkins/systemd-override.conf) **Apply it** ```bash sudo mkdir -p /etc/systemd/system/jenkins.service.d sudo cp snippets/ci/jenkins/systemd-override.conf /etc/systemd/system/jenkins.service.d/override.conf sudo systemctl daemon-reload sudo systemctl restart jenkins sudo systemctl status jenkins ``` **What to look for** * Jenkins binds where you expect; * Java options are explicit and reviewable; * home directory and log locations are known; * only the intended HTTP or HTTPS listener is enabled. *** ### 3) Configure authentication and authorization in the UI #### Menu path * **Dashboard → Manage Jenkins → Security** #### What to configure **Authentication** answers “who are you?”\ **Authorization** answers “what are you allowed to do?” A solid starting point is: * corporate SSO, LDAP, or Active Directory if available; * otherwise Jenkins own user database with controlled admin creation; * **Matrix-based security** or **Project-based Matrix Authorization** for least privilege. #### Suggested authorization pattern * `anonymous`: no access, or at most read-only landing-page access if required; * `authenticated`: minimal read/browse permissions; * `developers`: job read/build on scoped folders only; * `release-engineers`: limited deploy and credential usage only where needed; * `administrators`: full control. #### Plugin commonly used * `matrix-auth` **CLI-style installation example** ```bash jenkins-plugin-cli --plugins matrix-auth configuration-as-code antisamy-markup-formatter ``` Use the UI instead if your package does not ship `jenkins-plugin-cli`. #### Web UI checklist * open **Manage Jenkins → Security**; * choose the security realm; * disable broad anonymous access; * choose matrix authorization; * grant permissions by group, not by many individual users where possible; * save and test with a non-admin user before ending the session. *** ### 4) Keep CSRF protection enabled #### Menu path * **Manage Jenkins → Security → CSRF Protection** Use the default crumb issuer unless you have a very specific reason not to. If Jenkins is behind a proxy that causes client IP instability, enable the proxy compatibility option. **Why** CSRF lets a victim user’s browser perform unintended actions against Jenkins. That matters even on internal Jenkins instances. **Scripted clients** * username + password usually need crumb handling; * **API token authentication** is generally simpler for automation. **Crumb example** ```bash JENKINS_URL="https://jenkins.example.internal" USER="svc_ci" TOKEN="replace-me" CRUMB=$(curl -s -u "${USER}:${TOKEN}" "${JENKINS_URL}/crumbIssuer/api/json" | jq -r '.crumb') curl -X POST -u "${USER}:${TOKEN}" -H "Jenkins-Crumb: ${CRUMB}" "${JENKINS_URL}/job/example/build" ``` **Important** If you authenticate with a modern API token, many scripted flows avoid separate crumb handling. Prefer tokens over passwords for automation. *** ### 5) Do not run builds on the built-in node #### Menu path * **Manage Jenkins → Nodes and Clouds → Built-In Node → Configure** Set: * **Number of executors = 0** **Why** Build code is not trusted just because it lives in your repo. Test code, build scripts, tool installers, and pipeline steps can all execute harmful actions. If builds run on the controller, they run next to Jenkins home, plugins, secrets, and configuration. **Better pattern** * run builds on dedicated agents; * isolate trust zones with separate agent pools; * use ephemeral agents where possible. **Typical trust split** * low-trust PR jobs; * medium-trust internal build jobs; * high-trust release or signing jobs. *** ### 6) Review agent connectivity and exposed ports #### Menu path * **Manage Jenkins → Security → TCP port for inbound agents** * or **Manage Jenkins → Nodes and Clouds** for agent setup * or cloud-specific agent plugin configuration **Safer defaults** * disable the inbound TCP agent port unless you actually use inbound agents; * if you use inbound agents, prefer **WebSocket** transport when it fits your environment; * if you must expose the TCP port, use a fixed port and firewall it tightly. **What to avoid** * leaving port `50000` broadly exposed to the network; * mixing internet-reachable agents with trusted internal controller access; * one giant shared agent pool for every trust zone. **Network check** ```bash sudo ss -lntp | grep -E '8080|8443|50000' sudo ufw status numbered ``` *** ### 7) Treat plugins as supply-chain risk Jenkins plugins are powerful, and that is exactly why they are dangerous. **Process to adopt** * install only the plugins you actually need; * remove old unused plugins; * update Jenkins core and plugins regularly; * review security advisories before or during upgrade cycles; * pin and test plugin sets in non-production first. #### Menu path * **Manage Jenkins → Plugins** * **Manage Jenkins → System Information** * **Manage Jenkins → About Jenkins** **Practical checklist** * do we still use this plugin? * is it still maintained? * does it expand attack surface on the controller, UI, SCM, or agents? * does it require risky permissions? * can the same outcome be achieved with fewer plugins? **Good operational pattern** Track plugins in code or in a reviewed list instead of letting every admin install interactively in production. *** ### 8) Harden credentials handling #### Menu path * **Manage Jenkins → Credentials** * folder-level credentials under folders if you use scoped organization **Rules** * prefer short-lived credentials where possible; * prefer cloud federation or workload identity over static long-lived keys; * scope credentials to folders/jobs instead of global when possible; * separate read-only SCM credentials from deploy credentials; * rotate and retire credentials on a schedule; * do not pass secrets through freestyle job parameters or logs. **Examples of safer patterns** * GitHub App or deploy key for source retrieval; * cloud OIDC or workload identity for deployments; * Vault or external secret manager for sensitive runtime material. *** ### 9) Move configuration to JCasC If your Jenkins security posture only exists in the UI, it will drift. **Why JCasC matters** * reproducible controller rebuilds; * peer review for permission changes; * easier disaster recovery; * safer migration across environments. **Example** See: [`snippets/ci/jenkins/jcasc-security.yaml`](https://github.com/D3One/Product-Security-Gitbook/blob/main/snippets/ci/jenkins/jcasc-security.yaml) **Typical environment variable** ```bash export CASC_JENKINS_CONFIG=/var/lib/jenkins/casc_configs/jenkins.yaml sudo systemctl restart jenkins ``` **Operational flow** 1. edit the YAML in version control; 2. review it like any other infrastructure change; 3. apply it in a lower environment; 4. restart or reload according to your deployment pattern; 5. confirm the UI matches intended policy. *** ### 10) Logging, backups, and recovery At minimum, know how you would answer these questions in an incident: * who changed Jenkins security settings? * who installed a plugin? * which credentials existed and where were they used? * what jobs ran on the controller? * can we rebuild the controller from code and backup? **Minimum backup targets** * Jenkins home; * JCasC files; * plugin list; * reverse proxy config; * any external secret-management integration definitions. **Useful commands** ```bash sudo tar -C /var/lib/jenkins -czf /var/backups/jenkins-home-$(date +%F).tar.gz . sudo cp /etc/nginx/sites-available/jenkins.conf /var/backups/jenkins-nginx-$(date +%F).conf ``` *** ## Top 10 Jenkins security issues, weaknesses, and misconfigurations | # | Issue | Why it is dangerous | Better pattern | | -- | ------------------------------------------ | ------------------------------------------------------- | ------------------------------------------------------------- | | 1 | Builds run on the controller | build code can access controller filesystem and secrets | set built-in node executors to `0`, use agents | | 2 | Anonymous or broad authenticated access | easy exposure of jobs, logs, or configuration | use matrix auth and least privilege | | 3 | Shared admin accounts | no accountability, hard incident review | unique named admins and SSO | | 4 | CSRF disabled | browser-based unintended actions become possible | keep CSRF enabled | | 5 | Inbound agent port broadly exposed | increases external attack surface | disable if not needed, or firewall tightly / prefer WebSocket | | 6 | Too many plugins / stale plugins | plugin supply-chain and vulnerability risk | reduce plugin set, patch regularly | | 7 | Long-lived deploy secrets in Jenkins | secrets can be stolen from jobs or controller | use short-lived federation and scoped credentials | | 8 | One shared agent pool for all trust levels | untrusted PRs can pivot toward release jobs | split agents by trust and use ephemeral workers | | 9 | No reverse proxy / weak TLS | poor perimeter hygiene and brittle routing | use reverse proxy with TLS and controlled exposure | | 10 | UI-only configuration | drift, weak review, harder recovery | use JCasC and reviewed config | *** ## Typical legacy weaknesses vs current 2026-friendly patterns | Legacy pattern | Why teams used it | Why it is weak now | Prefer now | | ------------------------------------------ | ----------------------- | ----------------------------------------- | ------------------------------------------------------------- | | static cloud keys in Jenkins credentials | easy to get started | long-lived secrets and rotation pain | OIDC / workload identity / short-lived tokens | | controller runs everything | simplest initial setup | no isolation | controller with zero executors + ephemeral agents | | manual plugin changes in prod | fast but informal | drift and hidden risk | reviewed plugin set and staged rollout | | freestyle jobs everywhere | fast to start | weaker reviewability and policy structure | pipeline as code + folder or repo controls | | per-user script passwords | legacy automation habit | poor auditability | API tokens or non-human identities | | custom security tweaks from old blog posts | worked for old versions | often obsolete | follow current controller-isolation and current security docs | *** ## Step-by-step menu summary for a fresh production review ### Manage Jenkins → Security Review: * security realm; * authorization strategy; * anonymous access; * CSRF protection; * inbound agent port; * markup formatter / user content policy if used. ### Manage Jenkins → Nodes and Clouds Review: * built-in node executors; * agent labels; * trust segmentation; * ephemeral vs static agents; * cloud agent templates. ### Manage Jenkins → Plugins Review: * installed plugin set; * update status; * dependency sprawl; * plugins with security advisories or no owner. ### Manage Jenkins → Credentials Review: * global vs folder scope; * unused or duplicate secrets; * static cloud keys; * secrets with no clear owner. ### Host / reverse proxy / systemd layer Review: * listener addresses and ports; * TLS termination; * backup jobs; * filesystem permissions; * startup parameters. *** ## Practical review questions for Product Security * Can an untrusted pull request execute on the same agent pool as release jobs? * Can a compromised agent read controller files or request controller-side actions? * Can a developer with job-configure permission turn a normal job into a credential exfiltration job? * Are cloud deployments still using static keys in Jenkins? * Can we rebuild the controller from code and backup in less than one day? *** ## Related snippets * [JCasC security baseline](https://github.com/D3One/Product-Security-Gitbook/blob/main/snippets/ci/jenkins/jcasc-security.yaml) * [NGINX reverse proxy example](https://github.com/D3One/Product-Security-Gitbook/blob/main/snippets/ci/jenkins/nginx-jenkins.conf) * [systemd override example](https://github.com/D3One/Product-Security-Gitbook/blob/main/snippets/ci/jenkins/systemd-override.conf) ## Cross-links * [Runner Isolation and Trust Boundaries](/devsecops-cicd-and-supply-chain/index-1/runner-isolation-and-trust-boundaries.md) * [Protected Environments and Deployment Approvals](/devsecops-cicd-and-supply-chain/index-1/protected-environments-and-deployment-approvals.md) * [Security Quality Gates and Release Blocking](/devsecops-cicd-and-supply-chain/index-1/security-quality-gates-and-release-blocking.md) * [Identity and Platform Access](/architecture-api-crypto-and-identity/index-2.md) *** *Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.* --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.product-security.expert/devsecops-cicd-and-supply-chain/index-1/jenkins-server-security-hardening-and-top-10-issues.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.