diff --git a/api/users/views.py b/api/users/views.py
index 6387bcbcea9..a0ea1e171ee 100644
--- a/api/users/views.py
+++ b/api/users/views.py
@@ -897,7 +897,6 @@ def get(self, request, *args, **kwargs):
                 )
         return Response(status=status.HTTP_200_OK, data={'message': status_message, 'kind': kind, 'institutional': institutional})
 
-    @method_decorator(csrf_protect)
     def post(self, request, *args, **kwargs):
         serializer = self.get_serializer(data=request.data)
         serializer.is_valid(raise_exception=True)
diff --git a/api_tests/users/views/test_user_settings.py b/api_tests/users/views/test_user_settings.py
index cd4e25ff654..80f75303cdf 100644
--- a/api_tests/users/views/test_user_settings.py
+++ b/api_tests/users/views/test_user_settings.py
@@ -211,8 +211,7 @@ def test_get_invalid_email(self, app, url):
             assert res.status_code == 200
             assert not mock_send_mail.called
 
-    def test_post(self, app, url, user_one, csrf_token):
-        app.set_cookie(CSRF_COOKIE_NAME, csrf_token)
+    def test_post(self, app, url, user_one):
         encoded_email = urllib.parse.quote(user_one.email)
         url = f'{url}?email={encoded_email}'
         res = app.get(url)
@@ -227,7 +226,7 @@ def test_post(self, app, url, user_one, csrf_token):
             }
         }
 
-        res = app.post_json_api(url, payload, headers={'X-CSRFToken': csrf_token})
+        res = app.post_json_api(url, payload)
         user_one.reload()
         assert res.status_code == 200
         assert user_one.check_password('password2')