A cross site request forgery (or CSRF/XSRF) is an exploit that enables
  an unauthorized third party to take actions on a web site as you. In Jenkins,
  this could allow someone to delete jobs, builds or change Jenkins' configuration.
  
  When this option is enabled, Jenkins will check for a generated nonce value, or
  "crumb", on any request that may cause a change on the Jenkins server. This
  includes any form submission and calls to the remote API.
  
  Enabling this option can result in some problems, like the following:
  
    - Some Jenkins features (like the remote API) are more difficult to use when this option is enabled.
- Some features, especially in plugins not tested with this option enabled, may not work at all.
- If you are accessing Jenkins through a reverse proxy, it may strip the CSRF HTTP header, resulting in some protected actions failing.
  More information about CSRF exploits can be found here.