If the "Prevent cross site forgery request exploit" option is selected in the "Configure global" security page and a change is made and saved on the global settings page - the cross site forgery prevention option is deactivated.

This is causing issues with post-commit hooks that pass the API token as well as the crumb in the HTTP header when making RESTful calls to Jenkins.