core/modules/rest/src/Routing/ResourceRoutes.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/core/modules/rest/src/Routing/ResourceRoutes.php b/core/modules/rest/src/Routing/ResourceRoutes.php
index a34ec00..5012dee 100644
--- a/core/modules/rest/src/Routing/ResourceRoutes.php
+++ b/core/modules/rest/src/Routing/ResourceRoutes.php
@@ -94,6 +94,10 @@ protected function getRoutesForResourceConfig(RestResourceConfigInterface $rest_
       $methods = $route->getMethods();
       // Only expose routes where the method is enabled in the configuration.
       if ($methods && ($method = $methods[0]) && $supported_formats = $rest_resource_config->getFormats($method)) {
+        if (!in_array($method, ['GET', 'HEAD'], TRUE)) {
+          $route->setRequirement('_csrf_request_header_token', 'TRUE');
+        }
+
         // Check that authentication providers are defined.
         if (empty($rest_resource_config->getAuthenticationProviders($method))) {
           $this->logger->error('At least one authentication provider must be defined for resource @id', [':id' => $rest_resource_config->id()]);
@@ -118,7 +122,6 @@ protected function getRoutesForResourceConfig(RestResourceConfigInterface $rest_
         //   allow request bodies to be sent
         // - set the allowed authentication providers
         if (in_array($method, ['POST', 'PATCH', 'PUT'], TRUE)) {
-          $route->setRequirement('_csrf_request_header_token', 'TRUE');
           // Restrict the incoming HTTP Content-type header to the allowed
           // formats.
           $route->addRequirements(['_content_type_format' => implode('|', $rest_resource_config->getFormats($method))]);