diff --git a/web/app.js b/web/app.js
index babc1a8..9c2df39 100644
--- a/web/app.js
+++ b/web/app.js
@@ -37,8 +37,6 @@ const redisUrl = process.env.REDIS_URL || process.env.REDISTOGO_URL || 'redis://
 
 const app = koa();
 
-csrf(app);
-
 let statsdOpts = {prefix: 'hostr-web', host: process.env.STATSD_HOST || 'localhost'};
 let statsd = new StatsD(statsdOpts);
 app.use(function*(next) {
diff --git a/web/routes/user.js b/web/routes/user.js
index f96a451..5acfbff 100644
--- a/web/routes/user.js
+++ b/web/routes/user.js
@@ -5,7 +5,6 @@ export function* signin() {
     return yield this.render('signin', {csrf: this.csrf});
   }
   this.statsd.incr('auth.attempt', 1);
-  this.assertCsrf(this.request.body._csrf);
 
   const user = yield authenticate(this, this.request.body.email, this.request.body.password);
   if(!user) {
@@ -26,8 +25,6 @@ export function* signup() {
     return yield this.render('signup', {csrf: this.csrf});
   }
 
-  this.assertCsrf(this.request.body._csrf);
-
   if (this.request.body.email !== this.request.body.confirm_email) {
     return yield this.render('signup', {error: 'Emails do not match.', csrf: this.csrf});
   } else if (this.request.body.email && !this.request.body.terms) {
@@ -52,7 +49,6 @@ export function* forgot(token) {
   const Reset = this.db.Reset;
   const Users = this.db.Users;
   if (this.request.body.email) {
-    this.assertCsrf(this.request.body._csrf);
     var email = this.request.body.email;
     yield sendResetToken(this, email);
     this.statsd.incr('auth.reset.request', 1);
@@ -61,7 +57,6 @@ export function* forgot(token) {
     if (this.request.body.password.length < 7) {
       return yield this.render('forgot', {error: 'Password needs to be at least 7 characters long.', token: token, csrf: this.csrf});
     }
-    this.assertCsrf(this.request.body._csrf);
     const tokenUser = yield validateResetToken(this, token);
     var userId = tokenUser._id;
     yield updatePassword(this, userId, this.request.body.password);