diff --git a/core/modules/rest/rest.routing.yml b/core/modules/rest/rest.routing.yml
index 2fdb1d7..ba7dd03 100644
--- a/core/modules/rest/rest.routing.yml
+++ b/core/modules/rest/rest.routing.yml
@@ -1,9 +1,9 @@
-# @deprecated This path is deprectated use the system.csrftoken route from the
+# @deprecated This route is deprecated, use the system.csrftoken route from the
 # system module instead.
 # @todo Remove this route in Drupal 9.0.0.
 rest.csrftoken:
   path: '/rest/session/token'
   defaults:
-    _controller: '\Drupal\system\Controller\CSRFTokenController::csrfToken'
+    _controller: '\Drupal\system\Controller\CsrfTokenController::csrfToken'
   requirements:
     _access: 'TRUE'
diff --git a/core/modules/system/src/Controller/CSRFTokenController.php b/core/modules/system/src/Controller/CSRFTokenController.php
index 66eda7b..7ba6d85 100644
--- a/core/modules/system/src/Controller/CSRFTokenController.php
+++ b/core/modules/system/src/Controller/CSRFTokenController.php
@@ -10,20 +10,20 @@
 /**
  * Returns responses for CSRF token routes.
  */
-class CSRFTokenController extends ControllerBase {
+class CsrfTokenController extends ControllerBase {
 
   /**
-   * The CSRF token manager.
+   * The CSRF token generator.
    *
    * @var \Drupal\Core\Access\CsrfTokenGenerator
    */
   protected $tokenGenerator;
 
   /**
-   * Constructs a new CsrfTokenGenerator object.
+   * Constructs a new CsrfTokenController object.
    *
    * @param \Drupal\Core\Access\CsrfTokenGenerator $token_generator
-   *   The CSRF token manager.
+   *   The CSRF token generator.
    */
   public function __construct(CsrfTokenGenerator $token_generator) {
     $this->tokenGenerator = $token_generator;
@@ -45,7 +45,7 @@ public static function create(ContainerInterface $container) {
    *   The response object.
    */
   public function csrfToken() {
-    return new Response($this->tokenGenerator->get('header'), 200, array('Content-Type' => 'text/plain'));
+    return new Response($this->tokenGenerator->get('header'), 200, ['Content-Type' => 'text/plain']);
   }
 
 }
diff --git a/core/modules/system/system.routing.yml b/core/modules/system/system.routing.yml
index 9449847..d258962 100644
--- a/core/modules/system/system.routing.yml
+++ b/core/modules/system/system.routing.yml
@@ -496,6 +496,6 @@ system.entity_autocomplete:
 system.csrftoken:
   path: '/session/token'
   defaults:
-    _controller: '\Drupal\system\Controller\CSRFTokenController::csrfToken'
+    _controller: '\Drupal\system\Controller\CsrfTokenController::csrfToken'
   requirements:
     _access: 'TRUE'
diff --git a/core/modules/system/tests/modules/csrf_test/csrf_test.routing.yml b/core/modules/system/tests/modules/csrf_test/csrf_test.routing.yml
index 4a4cf1e..457b60c 100644
--- a/core/modules/system/tests/modules/csrf_test/csrf_test.routing.yml
+++ b/core/modules/system/tests/modules/csrf_test/csrf_test.routing.yml
@@ -1,4 +1,4 @@
-# Tests CSRF Header Token protection.
+# Tests CSRF request header token protection.
 csrf_test.protected:
   path: csrf/protected
   defaults:
@@ -7,12 +7,12 @@ csrf_test.protected:
     _csrf_request_header_token: 'TRUE'
     _method: 'POST'
 # Tests deprecated _access_rest_csrf protection.
-# This originally was in the REST module but now is supported in Core/lib.
+# This originally was in the REST module but now is supported in core/lib.
 # @todo Remove this test route in Drupal 9.0.0.
 csrf_test.deprecated.protected:
   path: csrf/deprecated/protected
   defaults:
     _controller: '\Drupal\csrf_test\Controller\TestController::testMethod'
-  #methods:  [POST]
   requirements:
     _access_rest_csrf: 'TRUE'
+    _method: 'POST'
diff --git a/core/modules/system/tests/src/Functional/CsrfHeaderTest.php b/core/modules/system/tests/src/Functional/CsrfRequestHeaderTest.php
similarity index 84%
rename from core/modules/system/tests/src/Functional/CsrfHeaderTest.php
rename to core/modules/system/tests/src/Functional/CsrfRequestHeaderTest.php
index c52582e..d94b24d 100644
--- a/core/modules/system/tests/src/Functional/CsrfHeaderTest.php
+++ b/core/modules/system/tests/src/Functional/CsrfRequestHeaderTest.php
@@ -7,11 +7,11 @@
 use GuzzleHttp\Cookie\CookieJar;
 
 /**
- * Tests protecting routes by requiring CSRF token in the header.
+ * Tests protecting routes by requiring CSRF token in the request header.
  *
  * @group system
  */
-class CsrfHeaderTest extends BrowserTestBase {
+class CsrfRequestHeaderTest extends BrowserTestBase {
 
   /**
    * Modules to enable.
@@ -21,10 +21,10 @@ class CsrfHeaderTest extends BrowserTestBase {
   public static $modules = ['system', 'csrf_test'];
 
   /**
-   * Tests access to routes protected by CSRF header requirements.
+   * Tests access to routes protected by CSRF request header requirements.
    *
-   * This checks to one route uses _csrf_request_header_token and one that uses
-   * the deprecated _access_rest_csrf.
+   * This checks one route that uses _csrf_request_header_token and one that
+   * uses the deprecated _access_rest_csrf.
    */
   public function testRouteAccess() {
     $client = \Drupal::httpClient();
@@ -52,7 +52,7 @@ public function testRouteAccess() {
       $result = $client->post($url, $post_options);
       $this->assertEquals(200, $result->getStatusCode());
 
-      // Add cookies to post options so that all other requests are for the
+      // Add cookies to POST options so that all other requests are for the
       // authenticated user.
       $post_options['cookies']  = $cookies;