src/Form/JsonApiSettingsForm.php         | 2 +-
 src/Routing/ReadOnlyModeMethodFilter.php | 9 +++++----
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/Form/JsonApiSettingsForm.php b/src/Form/JsonApiSettingsForm.php
index 06ae65e..9d7e237 100644
--- a/src/Form/JsonApiSettingsForm.php
+++ b/src/Form/JsonApiSettingsForm.php
@@ -40,7 +40,7 @@ class JsonApiSettingsForm extends ConfigFormBase {
         'rw' => $this->t('Accept all JSON:API create, read, update, and delete operations.'),
       ],
       '#default_value' => $jsonapi_config->get('read_only') === TRUE ? 'r' : 'rw',
-      '#description' => $this->t('Warning: If read operations alone cover your needs, you can choose to limit JSON:API to just that to reduce your exposure to potential security vulnerabilities in the adding, changing or removing of entities (content items, taxonomy terms, …) via JSON:API. <a href=":docs">Learn more about securing your site with JSON:API.</a>', [':docs' => 'https://www.drupal.org/docs/8/modules/jsonapi/security-considerations']),
+      '#description' => $this->t('Warning: If read operations alone cover your needs, you can choose to limit JSON:API to only reads to harden the security of your: adding, changing or removing of entities (content items, taxonomy terms, …) via JSON:API is then impossible. <a href=":docs">Learn more about securing your site with JSON:API.</a>', [':docs' => 'https://www.drupal.org/docs/8/modules/jsonapi/security-considerations']),
     ];
 
     return parent::buildForm($form, $form_state);
diff --git a/src/Routing/ReadOnlyModeMethodFilter.php b/src/Routing/ReadOnlyModeMethodFilter.php
index e7664e7..f12920a 100644
--- a/src/Routing/ReadOnlyModeMethodFilter.php
+++ b/src/Routing/ReadOnlyModeMethodFilter.php
@@ -54,13 +54,14 @@ class ReadOnlyModeMethodFilter implements FilterInterface {
     $read_only_methods = ['GET', 'HEAD', 'OPTIONS', 'TRACE'];
     $all_supported_methods = [];
     foreach ($collection->all() as $name => $route) {
+      if (!$route->hasDefault(Routes::JSON_API_ROUTE_FLAG_KEY)) {
+        continue;
+      }
+
       $supported_methods = $route->getMethods();
       assert(count($supported_methods) > 0, 'JSON:API routes always have a method specified.');
-
-      $is_jsonapi_route = $route->hasDefault(Routes::JSON_API_ROUTE_FLAG_KEY);
       $is_read_only_route = empty(array_diff($supported_methods, $read_only_methods));
-
-      if ($is_jsonapi_route && !$is_read_only_route) {
+      if (!$is_read_only_route) {
         $all_supported_methods = array_merge($supported_methods, $all_supported_methods);
         $collection->remove($name);
       }