core/lib/Drupal/Core/EventSubscriber/RouteAccessResponseSubscriber.php | 2 +-
 core/modules/rest/src/Routing/ResourceRoutes.php                       | 3 +--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/core/lib/Drupal/Core/EventSubscriber/RouteAccessResponseSubscriber.php b/core/lib/Drupal/Core/EventSubscriber/RouteAccessResponseSubscriber.php
index b2f1312..83d277f 100644
--- a/core/lib/Drupal/Core/EventSubscriber/RouteAccessResponseSubscriber.php
+++ b/core/lib/Drupal/Core/EventSubscriber/RouteAccessResponseSubscriber.php
@@ -50,7 +50,7 @@ public function onRespond(FilterResponseEvent $event) {
   public static function getSubscribedEvents() {
     // Priority 10, so that it runs before FinishResponseSubscriber, which will
     // expose the cacheability metadata in the form of headers.
-    $events[KernelEvents::RESPONSE][] = ['onRespond', 10];
+    $events[KernelEvents::RESPONSE][] = ['onRespond', 110];
     return $events;
   }
 
diff --git a/core/modules/rest/src/Routing/ResourceRoutes.php b/core/modules/rest/src/Routing/ResourceRoutes.php
index 5ba4c5d..a34ec00 100644
--- a/core/modules/rest/src/Routing/ResourceRoutes.php
+++ b/core/modules/rest/src/Routing/ResourceRoutes.php
@@ -94,8 +94,6 @@ protected function getRoutesForResourceConfig(RestResourceConfigInterface $rest_
       $methods = $route->getMethods();
       // Only expose routes where the method is enabled in the configuration.
       if ($methods && ($method = $methods[0]) && $supported_formats = $rest_resource_config->getFormats($method)) {
-        $route->setRequirement('_csrf_request_header_token', 'TRUE');
-
         // Check that authentication providers are defined.
         if (empty($rest_resource_config->getAuthenticationProviders($method))) {
           $this->logger->error('At least one authentication provider must be defined for resource @id', [':id' => $rest_resource_config->id()]);
@@ -120,6 +118,7 @@ protected function getRoutesForResourceConfig(RestResourceConfigInterface $rest_
         //   allow request bodies to be sent
         // - set the allowed authentication providers
         if (in_array($method, ['POST', 'PATCH', 'PUT'], TRUE)) {
+          $route->setRequirement('_csrf_request_header_token', 'TRUE');
           // Restrict the incoming HTTP Content-type header to the allowed
           // formats.
           $route->addRequirements(['_content_type_format' => implode('|', $rest_resource_config->getFormats($method))]);