diff --git a/core/modules/rest/src/Tests/CreateTest.php b/core/modules/rest/src/Tests/CreateTest.php
index 8c7db07..510b89d 100644
--- a/core/modules/rest/src/Tests/CreateTest.php
+++ b/core/modules/rest/src/Tests/CreateTest.php
@@ -366,10 +366,16 @@ public function assertCreateEntityOverRestApi($entity_type, $serialized = NULL)
     // Note: this will fail with PHP 5.6 when always_populate_raw_post_data is
     // set to something other than -1. See https://www.drupal.org/node/2456025.
     // Try first without the CSRF token, which should fail.
-    $this->httpRequest('entity/' . $entity_type, 'POST', $serialized, $this->defaultMimeType, TRUE);
-    $this->assertResponse(403, 'X-CSRF-Token request header is missing');
+    $url = Url::fromUri('internal:/entity/' . $entity_type)->setOption('query', ['_format' => $this->defaultFormat]);
+    $this->httpRequest($url, 'POST', $serialized, $this->defaultMimeType, TRUE);
+    $this->assertResponse(403);
+    $this->assertRaw('X-CSRF-Token request header is missing');
+    // Then try with an invalid CSRF token.
+    $this->httpRequest($url, 'POST', $serialized, $this->defaultMimeType, 'invalid-csrf-token');
+    $this->assertResponse(403);
+    $this->assertRaw('X-CSRF-Token request header is invalid');
     // Then try with the CSRF token.
-    $response = $this->httpRequest('entity/' . $entity_type, 'POST', $serialized, $this->defaultMimeType);
+    $response = $this->httpRequest($url, 'POST', $serialized, $this->defaultMimeType);
     $this->assertResponse(201);
 
     // Make sure that the response includes an entity in the body and check the
diff --git a/core/modules/rest/src/Tests/DeleteTest.php b/core/modules/rest/src/Tests/DeleteTest.php
index a144342..332273a 100644
--- a/core/modules/rest/src/Tests/DeleteTest.php
+++ b/core/modules/rest/src/Tests/DeleteTest.php
@@ -38,10 +38,17 @@ public function testDelete() {
       $entity = $this->entityCreate($entity_type);
       $entity->save();
       // Try first to delete over REST API without the CSRF token.
-      $this->httpRequest($entity->urlInfo(), 'DELETE', NULL, NULL, TRUE);
-      $this->assertResponse(403, 'X-CSRF-Token request header is missing');
+      $url = $entity->toUrl()->setRouteParameter('_format', $this->defaultFormat);
+      $this->httpRequest($url, 'DELETE', NULL, 'application/hal+json', TRUE);
+      $this->assertResponse(403);
+      $this->assertRaw('X-CSRF-Token request header is missing');
+      // Then try with an invalid CSRF token.
+      $this->httpRequest($url, 'DELETE', NULL, 'application/hal+json', 'invalid-csrf-token');
+      $this->assertResponse(403);
+      $this->assertRaw('X-CSRF-Token request header is invalid');
       // Delete it over the REST API.
-      $response = $this->httpRequest($entity->urlInfo(), 'DELETE');
+      $response = $this->httpRequest($url, 'DELETE');
+      $this->assertResponse(204);
       // Clear the static cache with entity_load(), otherwise we won't see the
       // update.
       $storage = $this->container->get('entity_type.manager')
diff --git a/core/modules/rest/src/Tests/RESTTestBase.php b/core/modules/rest/src/Tests/RESTTestBase.php
index 2a75227..46972eb 100644
--- a/core/modules/rest/src/Tests/RESTTestBase.php
+++ b/core/modules/rest/src/Tests/RESTTestBase.php
@@ -86,7 +86,9 @@ protected function setUp() {
    * @param string $mime_type
    *   The MIME type of the transmitted content.
    * @param bool $forget_xcsrf_token
-   *   If TRUE, the CSRF token won't be included in request.
+   *   If TRUE, the CSRF token won't be included in request. If a string, that
+   *   string will be used as the CSRF token (allows for testing invalid CSRF
+   *   tokens).
    *
    * @return string
    *   The content returned from the request.
@@ -132,9 +134,9 @@ protected function httpRequest($url, $method, $body = NULL, $mime_type = NULL, $
           CURLOPT_POSTFIELDS => $body,
           CURLOPT_URL => $url,
           CURLOPT_NOBODY => FALSE,
-          CURLOPT_HTTPHEADER => !$forget_xcsrf_token ? array(
+          CURLOPT_HTTPHEADER => $forget_xcsrf_token !== TRUE ? array(
             'Content-Type: ' . $mime_type,
-            'X-CSRF-Token: ' . $token,
+            'X-CSRF-Token: ' . (is_string($forget_xcsrf_token) ? $forget_xcsrf_token : $token),
           ) : array(
             'Content-Type: ' . $mime_type,
           ),
@@ -148,9 +150,9 @@ protected function httpRequest($url, $method, $body = NULL, $mime_type = NULL, $
           CURLOPT_POSTFIELDS => $body,
           CURLOPT_URL => $url,
           CURLOPT_NOBODY => FALSE,
-          CURLOPT_HTTPHEADER => !$forget_xcsrf_token ? array(
+          CURLOPT_HTTPHEADER => $forget_xcsrf_token !== TRUE ? array(
             'Content-Type: ' . $mime_type,
-            'X-CSRF-Token: ' . $token,
+            'X-CSRF-Token: ' . (is_string($forget_xcsrf_token) ? $forget_xcsrf_token : $token),
           ) : array(
             'Content-Type: ' . $mime_type,
           ),
@@ -164,9 +166,9 @@ protected function httpRequest($url, $method, $body = NULL, $mime_type = NULL, $
           CURLOPT_POSTFIELDS => $body,
           CURLOPT_URL => $url,
           CURLOPT_NOBODY => FALSE,
-          CURLOPT_HTTPHEADER => !$forget_xcsrf_token ? array(
+          CURLOPT_HTTPHEADER => $forget_xcsrf_token !== TRUE ? array(
             'Content-Type: ' . $mime_type,
-            'X-CSRF-Token: ' . $token,
+            'X-CSRF-Token: ' . (is_string($forget_xcsrf_token) ? $forget_xcsrf_token : $token),
           ) : array(
             'Content-Type: ' . $mime_type,
           ),
@@ -179,7 +181,9 @@ protected function httpRequest($url, $method, $body = NULL, $mime_type = NULL, $
           CURLOPT_CUSTOMREQUEST => 'DELETE',
           CURLOPT_URL => $url,
           CURLOPT_NOBODY => FALSE,
-          CURLOPT_HTTPHEADER => !$forget_xcsrf_token ? array('X-CSRF-Token: ' . $token) : array(),
+          CURLOPT_HTTPHEADER => $forget_xcsrf_token !== TRUE ? array(
+            'X-CSRF-Token: ' . (is_string($forget_xcsrf_token) ? $forget_xcsrf_token : $token),
+          ) : array(),
         );
         break;
     }
@@ -197,6 +201,8 @@ protected function httpRequest($url, $method, $body = NULL, $mime_type = NULL, $
 
     $this->verbose($method . ' request to: ' . $url .
       '<hr />Code: ' . curl_getinfo($this->curlHandle, CURLINFO_HTTP_CODE) .
+      (isset($curl_options[CURLOPT_HTTPHEADER]) ? '<hr />Request headers: ' . nl2br(print_r($curl_options[CURLOPT_HTTPHEADER], TRUE)) : '' ) .
+      (isset($curl_options[CURLOPT_POSTFIELDS]) ? '<hr />Request body: ' . nl2br(print_r($curl_options[CURLOPT_POSTFIELDS], TRUE)) : '' ) .
       '<hr />Response headers: ' . nl2br(print_r($headers, TRUE)) .
       '<hr />Response body: ' . $this->responseBody);
 
diff --git a/core/modules/rest/src/Tests/UpdateTest.php b/core/modules/rest/src/Tests/UpdateTest.php
index cdef82c..7c2795e 100644
--- a/core/modules/rest/src/Tests/UpdateTest.php
+++ b/core/modules/rest/src/Tests/UpdateTest.php
@@ -382,8 +382,12 @@ protected function patchEntity(EntityInterface $entity, array $read_only_fields,
 
     // Try first without CSRF token which should fail.
     $this->httpRequest($url, 'PATCH', $serialized, $mime_type, TRUE);
-    $this->assertResponse(403, 'X-CSRF-Token request header is missing');
-
+    $this->assertResponse(403);
+    $this->assertRaw('X-CSRF-Token request header is missing');
+    // Then try with an invalid CSRF token.
+    $this->httpRequest($url, 'PATCH', $serialized, $mime_type, 'invalid-csrf-token');
+    $this->assertResponse(403);
+    $this->assertRaw('X-CSRF-Token request header is invalid');
     // Then try with CSRF token.
     $this->httpRequest($url, 'PATCH', $serialized, $mime_type);
     $this->assertResponse(200);