Improvements by the Security Team

Jenkins Security Scan

JEP-235: Agent-To-Controller Security Simplification

Matrix Authorization: Explicitly assign permissions by type (user/group)

Plugin Manager: Add inline security warnings to installed plugins list

Plugin Manager: Show on 'updates' tab when a warning would be fixed

UI/UX: Separate security and non-security administrative monitors

UI/UX: Add stack trace suppression into core as a standard behavior

UI/UX: Do not show disabled permissions in permission errors

Listen on loopback interface: Jenkins (core)

Listen on loopback interface: Maven HPI Plugin

Resource Root URL: Support serving user content from a different domain

UI/UX: Hide password form fields by default

UI/UX: Add f:secretTextarea UI analogous to f:password

Access Control for Builds: Add access control for builds admin monitor

Access Control for Builds: Add message to the build log when a build is running as SYSTEM

Jenkins user database: Do not allow signup of new users by default

Use SHA-256 for CSRF crumbs

Published Strict Crumb Issuer Plugin

Credentials: Allow credential parameters to shadow credential ids in lookup

Credentials: Support user-scoped credentials in input step

Credentials: Support more credential masking scenarios

New API token system

Add support for SHA-256/512 in update site metadata

Published Extended Security Settings Plugin

CSRF Protection: Remove requirement to have a CSRF crumb for requests with API tokens

CSRF Protection: Make the form that allows resubmission as POST work with CSRF protection enabled

CSRF Protection: Add a new administrative monitor for CSRF protection

Matrix Authorization Plugin 2.0 Overhaul

Administrative Monitors: Show admin monitors on most URLs

Administrative Monitors: Add configuration for disabling admin monitors