core/lib/Drupal/Core/Access/CsrfRequestHeaderAccessCheck.php      | 8 ++++++--
 core/lib/Drupal/Core/EventSubscriber/AuthenticationSubscriber.php | 2 +-
 core/modules/rest/src/Routing/ResourceRoutes.php                  | 4 +---
 3 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/core/lib/Drupal/Core/Access/CsrfRequestHeaderAccessCheck.php b/core/lib/Drupal/Core/Access/CsrfRequestHeaderAccessCheck.php
index 563355a..dc8203b 100644
--- a/core/lib/Drupal/Core/Access/CsrfRequestHeaderAccessCheck.php
+++ b/core/lib/Drupal/Core/Access/CsrfRequestHeaderAccessCheck.php
@@ -89,12 +89,16 @@ public function applies(Route $route) {
   public function access(Request $request, AccountInterface $account) {
     $method = $request->getMethod();
 
+    // Read-only operations are always allowed.
+    if (in_array($method, ['GET', 'HEAD', 'OPTIONS', 'TRACE'])) {
+      return AccessResult::allowed();
+    }
+
     // This check only applies if
     // 1. this is a write operation
     // 2. the user was successfully authenticated and
     // 3. the request comes with a session cookie.
-    if (!in_array($method, ['GET', 'HEAD', 'OPTIONS', 'TRACE'])
-      && $account->isAuthenticated()
+    if ($account->isAuthenticated()
       && $this->sessionConfiguration->hasSession($request)
     ) {
       if (!$request->headers->has('X-CSRF-Token')) {
diff --git a/core/lib/Drupal/Core/EventSubscriber/AuthenticationSubscriber.php b/core/lib/Drupal/Core/EventSubscriber/AuthenticationSubscriber.php
index 8ab7f50..cbd7672 100644
--- a/core/lib/Drupal/Core/EventSubscriber/AuthenticationSubscriber.php
+++ b/core/lib/Drupal/Core/EventSubscriber/AuthenticationSubscriber.php
@@ -152,7 +152,7 @@ public static function getSubscribedEvents() {
     // Access check must be performed after routing.
     $events[KernelEvents::REQUEST][] = ['onKernelRequestFilterProvider', 31];
     $events[KernelEvents::EXCEPTION][] = ['onExceptionSendChallenge', 75];
-    $events[KernelEvents::EXCEPTION][] = ['onExceptionAccessDenied', 75];
+    $events[KernelEvents::EXCEPTION][] = ['onExceptionAccessDenied', 80];
     return $events;
   }
 
diff --git a/core/modules/rest/src/Routing/ResourceRoutes.php b/core/modules/rest/src/Routing/ResourceRoutes.php
index 01a7fd0..27da48a 100644
--- a/core/modules/rest/src/Routing/ResourceRoutes.php
+++ b/core/modules/rest/src/Routing/ResourceRoutes.php
@@ -97,9 +97,7 @@ protected function getRoutesForResourceConfig(RestResourceConfigInterface $rest_
       // - that exist for BC
       // @see \Drupal\rest\RouteProcessor\RestResourceGetRouteProcessorBC
       if (($methods && ($method = $methods[0]) && $supported_formats = $rest_resource_config->getFormats($method)) || $route->hasOption('bc_route')) {
-        if (!in_array($method, ['GET', 'HEAD'], TRUE)) {
-          $route->setRequirement('_csrf_request_header_token', 'TRUE');
-        }
+        $route->setRequirement('_csrf_request_header_token', 'TRUE');
 
         // Check that authentication providers are defined.
         if (empty($rest_resource_config->getAuthenticationProviders($method))) {