diff --git a/gratipay/main.py b/gratipay/main.py
index 127fe2355c..811200b545 100644
--- a/gratipay/main.py
+++ b/gratipay/main.py
@@ -99,12 +99,12 @@
     algorithm['parse_environ_into_request'],
     algorithm['parse_body_into_request'],
 
-    security.only_allow_certain_methods,
     utils.use_tildes_for_participants,
     algorithm['redirect_to_base_url'],
     i18n.set_up_i18n,
     authentication.start_user_as_anon,
     authentication.authenticate_user_if_possible,
+    security.only_allow_certain_methods,
     csrf.extract_token_from_cookie,
     csrf.reject_forgeries,
 
diff --git a/tests/py/test_security.py b/tests/py/test_security.py
index fdfb5024ae..eae24c24dd 100644
--- a/tests/py/test_security.py
+++ b/tests/py/test_security.py
@@ -35,6 +35,9 @@ def test_oacm_disallows_a_bunch_of_other_stuff(self):
     def test_oacm_doesnt_choke_error_handling(self):
         assert self.client.hit("OPTIONS", "/", raise_immediately=False).code == 405
 
+    def test_oacm_prevents_csrf_from_choking(self):
+        assert self.client.PxST('/assets/gratipay.css').code == 405
+
 
     # ahtr - add_headers_to_response
 
diff --git a/tests/py/test_security_csrf.py b/tests/py/test_security_csrf.py
index 37b2fa3554..87dde53ad4 100644
--- a/tests/py/test_security_csrf.py
+++ b/tests/py/test_security_csrf.py
@@ -47,7 +47,3 @@ def test_csrf_cookie_set_for_most_requests(self):
     def test_no_csrf_cookie_set_for_assets(self):
         r = self.client.GET('/assets/gratipay.css')
         assert b'csrf_token' not in r.headers.cookie
-
-    def test_that_missing_csrf_on_assets_doesnt_result_in_a_500(self):
-        r = self.client.PxST('/assets/gratipay.css')
-        assert r.code == 405