diff --git a/core/modules/rest/lib/Drupal/rest/Access/CSRFAccessCheck.php b/core/modules/rest/lib/Drupal/rest/Access/CSRFAccessCheck.php
index e96e6f7..671935c 100644
--- a/core/modules/rest/lib/Drupal/rest/Access/CSRFAccessCheck.php
+++ b/core/modules/rest/lib/Drupal/rest/Access/CSRFAccessCheck.php
@@ -43,21 +43,25 @@ public function applies(Route $route) {
    * Implements AccessCheckInterface::access().
    */
   public function access(Route $route, Request $request) {
-    $method = $request->getMethod();
-    $cookie = $request->cookies->get(session_name(), FALSE);
-    // This check only applies if
-    // 1. this is a write operation
-    // 2. the user was successfully authenticated and
-    // 3. the request comes with a session cookie.
-    if (!in_array($method, array('GET', 'HEAD', 'OPTIONS', 'TRACE'))
-      && $GLOBALS['user']->isAuthenticated()
-      && $cookie
-    ) {
-      $csrf_token = $request->headers->get('X-CSRF-Token');
-      if (!drupal_valid_token($csrf_token, 'rest')) {
-        return static::KILL;
+    $route_options = $route->getOptions();
+    if (!empty($route_options['_auth']) && in_array('cookie', $route_options['_auth'])) {
+      $method = $request->getMethod();
+      $cookie = $request->cookies->get(session_name(), FALSE);
+      // This check only applies if
+      // 1. this is a write operation
+      // 2. the user was successfully authenticated and
+      // 3. the request comes with a session cookie.
+      if (!in_array($method, array('GET', 'HEAD', 'OPTIONS', 'TRACE'))
+        && $GLOBALS['user']->isAuthenticated()
+        && $cookie
+      ) {
+        $csrf_token = $request->headers->get('X-CSRF-Token');
+        if (!drupal_valid_token($csrf_token, 'rest')) {
+          return static::KILL;
+        }
       }
     }
+
     // Let other access checkers decide if the request is legit.
     return static::ALLOW;
   }