Create an admin user with full perms, and deny all perms to anonymous; and enable CSRF protection. Now go to the Jenkins root page, click add description, type anything, and click Preview. You are greeted with
<div class="textarea-preview" style="">403 No_valid_crumb_was_included_in_the_request<hr>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Error 403 </title>
<h2>HTTP ERROR: 403</h2><pre>No valid crumb was included in the request</pre>
<p>RequestURI=/markupFormatter/previewDescription</p><p><i><small><a href="http://jetty.mortbay.org/">Powered by Jetty://</a></small></i></p><br>
...
</div>