diff --git a/kallithea/lib/auth.py b/kallithea/lib/auth.py
--- a/kallithea/lib/auth.py
+++ b/kallithea/lib/auth.py
@@ -760,8 +760,13 @@ class LoginRequired(object):
                 log.warning('API access to %s is not allowed', loc)
                 return abort(403)
 
-        # CSRF protection - POSTs with session auth must contain correct token
-        if request.POST and user.is_authenticated:
+        # CSRF protection: Whenever a request has ambient authority (whether
+        # through a session cookie or its origin IP address), it must include
+        # the correct token, unless the HTTP method is GET or HEAD (and thus
+        # guaranteed to be side effect free.
+        # Note that the 'is_authenticated' flag is True for anonymous users too,
+        # but not when the user is authenticated by API key.
+        if user.is_authenticated and request.method not in ['GET', 'HEAD']:
             token = request.POST.get(secure_form.token_key)
             if not token or token != secure_form.authentication_token():
                 log.error('CSRF check failed')