diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
index 475c62ab6c423..40c066c2b1054 100644
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -503,9 +503,6 @@ INTERNAL_TOKEN =
 ;; Password Hash algorithm, either "argon2", "pbkdf2", "scrypt" or "bcrypt"
 ;PASSWORD_HASH_ALGO = pbkdf2
 ;;
-;; Set false to allow JavaScript to read CSRF cookie
-;CSRF_COOKIE_HTTP_ONLY = true
-;;
 ;; Validate against https://haveibeenpwned.com/Passwords to see if a password has been exposed
 ;PASSWORD_CHECK_PWN = false
 ;;
diff --git a/modules/setting/markup.go b/modules/setting/markup.go
index e105506fc068c..caf0d5f8d94b6 100644
--- a/modules/setting/markup.go
+++ b/modules/setting/markup.go
@@ -255,7 +255,7 @@ func newMarkupRenderer(name string, sec ConfigSection) {
 	}
 
 	// ATTENTION! at the moment, only a safe set like "allow-scripts" are allowed for sandbox mode.
-	// "allow-same-origin" should never be used, it leads to XSS attack, and it makes the JS in iframe can access parent window's config and CSRF token
+	// "allow-same-origin" should NEVER be used, it leads to XSS attack: makes the JS in iframe can access parent window's config and send requests with user's credentials.
 	renderContentSandbox := sec.Key("RENDER_CONTENT_SANDBOX").MustString("allow-scripts allow-popups")
 	if renderContentSandbox == "disabled" {
 		renderContentSandbox = ""
diff --git a/modules/setting/oauth2.go b/modules/setting/oauth2.go
index ae2a9d7bee71c..2dfe77dda9a9c 100644
--- a/modules/setting/oauth2.go
+++ b/modules/setting/oauth2.go
@@ -133,7 +133,7 @@ func loadOAuth2From(rootCfg ConfigProvider) {
 
 	// FIXME: at the moment, no matter oauth2 is enabled or not, it must generate a "oauth2 JWT_SECRET"
 	// Because this secret is also used as GeneralTokenSigningSecret (as a quick not-that-breaking fix for some legacy problems).
-	// Including: CSRF token, account validation token, etc ...
+	// Including: account validation token, etc ...
 	// In main branch, the signing token should be refactored (eg: one unique for LFS/OAuth2/etc ...)
 	jwtSecretBase64 := loadSecret(sec, "JWT_SECRET_URI", "JWT_SECRET")
 	if InstallLock {
diff --git a/modules/setting/security.go b/modules/setting/security.go
index 153b6bc944ff5..d60cfbbfc8690 100644
--- a/modules/setting/security.go
+++ b/modules/setting/security.go
@@ -36,8 +36,6 @@ var (
 	PasswordCheckPwn                   bool
 	SuccessfulTokensCacheSize          int
 	DisableQueryAuthToken              bool
-	CSRFCookieName                     = "_csrf"
-	CSRFCookieHTTPOnly                 = true
 	RecordUserSignupMetadata           = false
 	TwoFactorAuthEnforced              = false
 )
@@ -139,7 +137,6 @@ func loadSecurityFrom(rootCfg ConfigProvider) {
 		log.Fatal("The provided password hash algorithm was invalid: %s", sec.Key("PASSWORD_HASH_ALGO").MustString(""))
 	}
 
-	CSRFCookieHTTPOnly = sec.Key("CSRF_COOKIE_HTTP_ONLY").MustBool(true)
 	PasswordCheckPwn = sec.Key("PASSWORD_CHECK_PWN").MustBool(false)
 	SuccessfulTokensCacheSize = sec.Key("SUCCESSFUL_TOKENS_CACHE_SIZE").MustInt(20)
 
diff --git a/routers/common/auth.go b/routers/common/auth.go
index 115d65ed104a8..80307906ba550 100644
--- a/routers/common/auth.go
+++ b/routers/common/auth.go
@@ -41,5 +41,4 @@ type VerifyOptions struct {
 	SignInRequired  bool
 	SignOutRequired bool
 	AdminRequired   bool
-	DisableCSRF     bool
 }
diff --git a/routers/web/auth/auth.go b/routers/web/auth/auth.go
index 2ccd1c71b5ce3..d36fb5bab75cd 100644
--- a/routers/web/auth/auth.go
+++ b/routers/web/auth/auth.go
@@ -102,7 +102,6 @@ func autoSignIn(ctx *context.Context) (bool, error) {
 		return false, err
 	}
 
-	ctx.Csrf.PrepareForSessionUser(ctx)
 	return true, nil
 }
 
@@ -357,9 +356,6 @@ func handleSignInFull(ctx *context.Context, u *user_model.User, remember, obeyRe
 		ctx.Locale = middleware.Locale(ctx.Resp, ctx.Req)
 	}
 
-	// force to generate a new CSRF token
-	ctx.Csrf.PrepareForSessionUser(ctx)
-
 	// Register last login
 	if err := user_service.UpdateUser(ctx, u, &user_service.UpdateOptions{SetLastLogin: true}); err != nil {
 		ctx.ServerError("UpdateUser", err)
@@ -403,7 +399,6 @@ func HandleSignOut(ctx *context.Context) {
 	_ = ctx.Session.Flush()
 	_ = ctx.Session.Destroy(ctx.Resp, ctx.Req)
 	ctx.DeleteSiteCookie(setting.CookieRememberName)
-	ctx.Csrf.DeleteCookie(ctx)
 	middleware.DeleteRedirectToCookie(ctx.Resp)
 }
 
@@ -811,8 +806,6 @@ func handleAccountActivation(ctx *context.Context, user *user_model.User) {
 		return
 	}
 
-	ctx.Csrf.PrepareForSessionUser(ctx)
-
 	if err := resetLocale(ctx, user); err != nil {
 		ctx.ServerError("resetLocale", err)
 		return
diff --git a/routers/web/auth/oauth.go b/routers/web/auth/oauth.go
index f7ce5875ca873..5eab7ffeb449d 100644
--- a/routers/web/auth/oauth.go
+++ b/routers/web/auth/oauth.go
@@ -393,9 +393,6 @@ func handleOAuth2SignIn(ctx *context.Context, authSource *auth.Source, u *user_m
 			return
 		}
 
-		// force to generate a new CSRF token
-		ctx.Csrf.PrepareForSessionUser(ctx)
-
 		if err := resetLocale(ctx, u); err != nil {
 			ctx.ServerError("resetLocale", err)
 			return
diff --git a/routers/web/githttp.go b/routers/web/githttp.go
index 06de811f16e11..4a4fb0b79fad4 100644
--- a/routers/web/githttp.go
+++ b/routers/web/githttp.go
@@ -22,5 +22,5 @@ func addOwnerRepoGitHTTPRouters(m *web.Router) {
 		m.Methods("GET,OPTIONS", "/objects/{head:[0-9a-f]{2}}/{hash:[0-9a-f]{38,62}}", repo.GetLooseObject)
 		m.Methods("GET,OPTIONS", "/objects/pack/pack-{file:[0-9a-f]{40,64}}.pack", repo.GetPackFile)
 		m.Methods("GET,OPTIONS", "/objects/pack/pack-{file:[0-9a-f]{40,64}}.idx", repo.GetIdxFile)
-	}, optSignInIgnoreCsrf, repo.HTTPGitEnabledHandler, repo.CorsHandler(), context.UserAssignmentWeb())
+	}, optSignIn, repo.HTTPGitEnabledHandler, repo.CorsHandler(), context.UserAssignmentWeb())
 }
diff --git a/routers/web/user/setting/keys.go b/routers/web/user/setting/keys.go
index 6b5a7a2e2a0bd..86eab730b1df8 100644
--- a/routers/web/user/setting/keys.go
+++ b/routers/web/user/setting/keys.go
@@ -325,7 +325,7 @@ func loadKeysData(ctx *context.Context) {
 	ctx.Data["GPGKeys"] = gpgkeys
 	tokenToSign := asymkey_model.VerificationToken(ctx.Doer, 1)
 
-	// generate a new aes cipher using the csrfToken
+	// generate a new aes cipher using the token
 	ctx.Data["TokenToSign"] = tokenToSign
 
 	principals, err := db.Find[asymkey_model.PublicKey](ctx, asymkey_model.FindPublicKeyOptions{
diff --git a/routers/web/web.go b/routers/web/web.go
index 86e51d607e2fd..ec27439c9b31d 100644
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -129,13 +129,13 @@ func webAuth(authMethod auth_service.Method) func(*context.Context) {
 			// ensure the session uid is deleted
 			_ = ctx.Session.Delete("uid")
 		}
-
-		ctx.Csrf.PrepareForSessionUser(ctx)
 	}
 }
 
 // verifyAuthWithOptions checks authentication according to options
 func verifyAuthWithOptions(options *common.VerifyOptions) func(ctx *context.Context) {
+	crossOrginProtection := http.NewCrossOriginProtection()
+
 	return func(ctx *context.Context) {
 		// Check prohibit login users.
 		if ctx.IsSigned {
@@ -178,9 +178,9 @@ func verifyAuthWithOptions(options *common.VerifyOptions) func(ctx *context.Cont
 			return
 		}
 
-		if !options.SignOutRequired && !options.DisableCSRF && ctx.Req.Method == http.MethodPost {
-			ctx.Csrf.Validate(ctx)
-			if ctx.Written() {
+		if !options.SignOutRequired {
+			if err := crossOrginProtection.Check(ctx.Req); err != nil {
+				http.Error(ctx.Resp, err.Error(), http.StatusForbidden)
 				return
 			}
 		}
@@ -292,17 +292,20 @@ func Routes() *web.Router {
 	return routes
 }
 
-var optSignInIgnoreCsrf = verifyAuthWithOptions(&common.VerifyOptions{DisableCSRF: true})
+// required to be signed in or signed out
+var (
+	reqSignIn  = verifyAuthWithOptions(&common.VerifyOptions{SignInRequired: true})
+	reqSignOut = verifyAuthWithOptions(&common.VerifyOptions{SignOutRequired: true})
+)
+
+// optional sign in (if signed in, use the user as doer, if not, no doer)
+var (
+	optSignIn        = verifyAuthWithOptions(&common.VerifyOptions{SignInRequired: setting.Service.RequireSignInViewStrict})
+	optExploreSignIn = verifyAuthWithOptions(&common.VerifyOptions{SignInRequired: setting.Service.RequireSignInViewStrict || setting.Service.Explore.RequireSigninView})
+)
 
 // registerWebRoutes register routes
 func registerWebRoutes(m *web.Router) {
-	// required to be signed in or signed out
-	reqSignIn := verifyAuthWithOptions(&common.VerifyOptions{SignInRequired: true})
-	reqSignOut := verifyAuthWithOptions(&common.VerifyOptions{SignOutRequired: true})
-	// optional sign in (if signed in, use the user as doer, if not, no doer)
-	optSignIn := verifyAuthWithOptions(&common.VerifyOptions{SignInRequired: setting.Service.RequireSignInViewStrict})
-	optExploreSignIn := verifyAuthWithOptions(&common.VerifyOptions{SignInRequired: setting.Service.RequireSignInViewStrict || setting.Service.Explore.RequireSigninView})
-
 	validation.AddBindingRules()
 
 	openIDSignInEnabled := func(ctx *context.Context) {
@@ -489,7 +492,7 @@ func registerWebRoutes(m *web.Router) {
 	m.Post("/-/markup", reqSignIn, web.Bind(structs.MarkupOption{}), misc.Markup)
 
 	m.Get("/-/web-theme/list", misc.WebThemeList)
-	m.Post("/-/web-theme/apply", optSignInIgnoreCsrf, misc.WebThemeApply)
+	m.Post("/-/web-theme/apply", misc.WebThemeApply)
 
 	m.Group("/explore", func() {
 		m.Get("", func(ctx *context.Context) {
@@ -565,12 +568,14 @@ func registerWebRoutes(m *web.Router) {
 			m.Post("/grant", web.Bind(forms.GrantApplicationForm{}), auth.GrantApplicationOAuth)
 			// TODO manage redirection
 			m.Post("/authorize", web.Bind(forms.AuthorizationForm{}), auth.AuthorizeOAuth)
-		}, optSignInIgnoreCsrf, reqSignIn)
+		}, reqSignIn)
 
-		m.Methods("GET, POST, OPTIONS", "/userinfo", optionsCorsHandler(), optSignInIgnoreCsrf, auth.InfoOAuth)
-		m.Methods("POST, OPTIONS", "/access_token", optionsCorsHandler(), web.Bind(forms.AccessTokenForm{}), optSignInIgnoreCsrf, auth.AccessTokenOAuth)
-		m.Methods("GET, OPTIONS", "/keys", optionsCorsHandler(), optSignInIgnoreCsrf, auth.OIDCKeys)
-		m.Methods("POST, OPTIONS", "/introspect", optionsCorsHandler(), web.Bind(forms.IntrospectTokenForm{}), optSignInIgnoreCsrf, auth.IntrospectOAuth)
+		m.Group("", func() {
+			m.Methods("GET, POST, OPTIONS", "/userinfo", auth.InfoOAuth)
+			m.Methods("POST, OPTIONS", "/access_token", web.Bind(forms.AccessTokenForm{}), auth.AccessTokenOAuth)
+			m.Methods("GET, OPTIONS", "/keys", auth.OIDCKeys)
+			m.Methods("POST, OPTIONS", "/introspect", web.Bind(forms.IntrospectTokenForm{}), auth.IntrospectOAuth)
+		}, optSignIn, optionsCorsHandler())
 	}, oauth2Enabled)
 
 	m.Group("/user/settings", func() {
@@ -1653,7 +1658,7 @@ func registerWebRoutes(m *web.Router) {
 		m.Post("/action/{action:accept_transfer|reject_transfer}", reqSignIn, repo.ActionTransfer)
 	}, optSignIn, context.RepoAssignment)
 
-	common.AddOwnerRepoGitLFSRoutes(m, optSignInIgnoreCsrf, lfsServerEnabled) // "/{username}/{reponame}/{lfs-paths}": git-lfs support
+	common.AddOwnerRepoGitLFSRoutes(m, optSignIn, lfsServerEnabled) // "/{username}/{reponame}/{lfs-paths}": git-lfs support
 
 	addOwnerRepoGitHTTPRouters(m) // "/{username}/{reponame}/{git-paths}": git http support
 
diff --git a/services/auth/auth.go b/services/auth/auth.go
index 291e78a7358a9..90e2115bc5f60 100644
--- a/services/auth/auth.go
+++ b/services/auth/auth.go
@@ -19,7 +19,6 @@ import (
 	"code.gitea.io/gitea/modules/session"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/web/middleware"
-	gitea_context "code.gitea.io/gitea/services/context"
 	user_service "code.gitea.io/gitea/services/user"
 )
 
@@ -162,9 +161,4 @@ func handleSignIn(resp http.ResponseWriter, req *http.Request, sess SessionStore
 	}
 
 	middleware.SetLocaleCookie(resp, user.Language, 0)
-
-	// force to generate a new CSRF token
-	if ctx := gitea_context.GetWebContext(req.Context()); ctx != nil {
-		ctx.Csrf.PrepareForSessionUser(ctx)
-	}
 }
diff --git a/services/context/api.go b/services/context/api.go
index d698b9116375b..591efadf3751f 100644
--- a/services/context/api.go
+++ b/services/context/api.go
@@ -227,7 +227,7 @@ func APIContexter() func(http.Handler) http.Handler {
 
 			ctx.SetContextValue(apiContextKey, ctx)
 
-			// If request sends files, parse them here otherwise the Query() can't be parsed and the CsrfToken will be invalid.
+			// FIXME: GLOBAL-PARSE-FORM: see more details in another FIXME comment
 			if ctx.Req.Method == http.MethodPost && strings.Contains(ctx.Req.Header.Get("Content-Type"), "multipart/form-data") {
 				if !ctx.ParseMultipartForm() {
 					return
diff --git a/services/context/context.go b/services/context/context.go
index 26b5bd3775b7a..2d42c4a5fd93e 100644
--- a/services/context/context.go
+++ b/services/context/context.go
@@ -6,14 +6,12 @@ package context
 
 import (
 	"context"
-	"encoding/hex"
 	"fmt"
 	"html/template"
 	"io"
 	"net/http"
 	"net/url"
 	"strings"
-	"time"
 
 	"code.gitea.io/gitea/models/unit"
 	user_model "code.gitea.io/gitea/models/user"
@@ -48,7 +46,6 @@ type Context struct {
 	PageData map[string]any // data used by JavaScript modules in one page, it's `window.config.pageData`
 
 	Cache   cache.StringCache
-	Csrf    CSRFProtector
 	Flash   *middleware.Flash
 	Session session.Store
 
@@ -143,18 +140,6 @@ func NewWebContext(base *Base, render Render, session session.Store) *Context {
 // Contexter initializes a classic context for a request.
 func Contexter() func(next http.Handler) http.Handler {
 	rnd := templates.HTMLRenderer()
-	csrfOpts := CsrfOptions{
-		Secret:         hex.EncodeToString(setting.GetGeneralTokenSigningSecret()),
-		Cookie:         setting.CSRFCookieName,
-		Secure:         setting.SessionConfig.Secure,
-		CookieHTTPOnly: setting.CSRFCookieHTTPOnly,
-		CookieDomain:   setting.SessionConfig.Domain,
-		CookiePath:     setting.SessionConfig.CookiePath,
-		SameSite:       setting.SessionConfig.SameSite,
-	}
-	if !setting.IsProd {
-		CsrfTokenRegenerationInterval = 5 * time.Second // in dev, re-generate the tokens more aggressively for debug purpose
-	}
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
 			base := NewBaseContext(resp, req)
@@ -167,8 +152,6 @@ func Contexter() func(next http.Handler) http.Handler {
 			ctx.PageData = map[string]any{}
 			ctx.Data["PageData"] = ctx.PageData
 
-			ctx.Csrf = NewCSRFProtector(csrfOpts)
-
 			// get the last flash message from cookie
 			lastFlashCookie, lastFlashMsg := middleware.GetSiteCookieFlashMessage(ctx, ctx.Req, CookieNameFlash)
 			if vals, _ := url.ParseQuery(lastFlashCookie); len(vals) > 0 {
@@ -184,7 +167,10 @@ func Contexter() func(next http.Handler) http.Handler {
 				}
 			})
 
-			// If request sends files, parse them here otherwise the Query() can't be parsed and the CsrfToken will be invalid.
+			// FIXME: GLOBAL-PARSE-FORM: this ParseMultipartForm was used for parsing the csrf token from multipart/form-data
+			// We have dropped the csrf token, so ideally this global ParseMultipartForm should be removed.
+			// When removing this, we need to avoid regressions in the handler functions because Golang's http framework is quite fragile
+			// and developers sometimes need to manually prase the form before accessing some values.
 			if ctx.Req.Method == http.MethodPost && strings.Contains(ctx.Req.Header.Get("Content-Type"), "multipart/form-data") {
 				if !ctx.ParseMultipartForm() {
 					return
diff --git a/services/context/context_cookie.go b/services/context/context_cookie.go
index b6f8dadb5665a..a28ae3b33dd43 100644
--- a/services/context/context_cookie.go
+++ b/services/context/context_cookie.go
@@ -25,13 +25,11 @@ func removeSessionCookieHeader(w http.ResponseWriter) {
 }
 
 // SetSiteCookie convenience function to set most cookies consistently
-// CSRF and a few others are the exception here
 func (ctx *Context) SetSiteCookie(name, value string, maxAge int) {
 	middleware.SetSiteCookie(ctx.Resp, name, value, maxAge)
 }
 
 // DeleteSiteCookie convenience function to delete most cookies consistently
-// CSRF and a few others are the exception here
 func (ctx *Context) DeleteSiteCookie(name string) {
 	middleware.SetSiteCookie(ctx.Resp, name, "", -1)
 }
diff --git a/services/context/csrf.go b/services/context/csrf.go
deleted file mode 100644
index aa99f34b0301a..0000000000000
--- a/services/context/csrf.go
+++ /dev/null
@@ -1,168 +0,0 @@
-// Copyright 2013 Martini Authors
-// Copyright 2014 The Macaron Authors
-// Copyright 2021 The Gitea Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License"): you may
-// not use this file except in compliance with the License. You may obtain
-// a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-// License for the specific language governing permissions and limitations
-// under the License.
-// SPDX-License-Identifier: Apache-2.0
-
-// a middleware that generates and validates CSRF tokens.
-
-package context
-
-import (
-	"html/template"
-	"net/http"
-	"strconv"
-	"time"
-
-	"code.gitea.io/gitea/modules/log"
-	"code.gitea.io/gitea/modules/util"
-)
-
-const (
-	CsrfHeaderName = "X-Csrf-Token"
-	CsrfFormName   = "_csrf"
-)
-
-// CSRFProtector represents a CSRF protector and is used to get the current token and validate the token.
-type CSRFProtector interface {
-	// PrepareForSessionUser prepares the csrf protector for the current session user.
-	PrepareForSessionUser(ctx *Context)
-	// Validate validates the csrf token in http context.
-	Validate(ctx *Context)
-	// DeleteCookie deletes the csrf cookie
-	DeleteCookie(ctx *Context)
-}
-
-type csrfProtector struct {
-	opt CsrfOptions
-	// id must be unique per user.
-	id string
-	// token is the valid one which will be used by end user and passed via header, cookie, or hidden form value.
-	token string
-}
-
-// CsrfOptions maintains options to manage behavior of Generate.
-type CsrfOptions struct {
-	// The global secret value used to generate Tokens.
-	Secret string
-	// Cookie value used to set and get token.
-	Cookie string
-	// Cookie domain.
-	CookieDomain string
-	// Cookie path.
-	CookiePath     string
-	CookieHTTPOnly bool
-	// SameSite set the cookie SameSite type
-	SameSite http.SameSite
-	// Set the Secure flag to true on the cookie.
-	Secure bool
-	// sessionKey is the key used for getting the unique ID per user.
-	sessionKey string
-	// oldSessionKey saves old value corresponding to sessionKey.
-	oldSessionKey string
-}
-
-func newCsrfCookie(opt *CsrfOptions, value string) *http.Cookie {
-	return &http.Cookie{
-		Name:     opt.Cookie,
-		Value:    value,
-		Path:     opt.CookiePath,
-		Domain:   opt.CookieDomain,
-		MaxAge:   int(CsrfTokenTimeout.Seconds()),
-		Secure:   opt.Secure,
-		HttpOnly: opt.CookieHTTPOnly,
-		SameSite: opt.SameSite,
-	}
-}
-
-func NewCSRFProtector(opt CsrfOptions) CSRFProtector {
-	if opt.Secret == "" {
-		panic("CSRF secret is empty but it must be set") // it shouldn't happen because it is always set in code
-	}
-	opt.Cookie = util.IfZero(opt.Cookie, "_csrf")
-	opt.CookiePath = util.IfZero(opt.CookiePath, "/")
-	opt.sessionKey = "uid"
-	opt.oldSessionKey = "_old_" + opt.sessionKey
-	return &csrfProtector{opt: opt}
-}
-
-func (c *csrfProtector) PrepareForSessionUser(ctx *Context) {
-	c.id = "0"
-	if uidAny := ctx.Session.Get(c.opt.sessionKey); uidAny != nil {
-		switch uidVal := uidAny.(type) {
-		case string:
-			c.id = uidVal
-		case int64:
-			c.id = strconv.FormatInt(uidVal, 10)
-		default:
-			log.Error("invalid uid type in session: %T", uidAny)
-		}
-	}
-
-	oldUID := ctx.Session.Get(c.opt.oldSessionKey)
-	uidChanged := oldUID == nil || oldUID.(string) != c.id
-	cookieToken := ctx.GetSiteCookie(c.opt.Cookie)
-
-	needsNew := true
-	if uidChanged {
-		_ = ctx.Session.Set(c.opt.oldSessionKey, c.id)
-	} else if cookieToken != "" {
-		// If cookie token present, re-use existing unexpired token, else generate a new one.
-		if issueTime, ok := ParseCsrfToken(cookieToken); ok {
-			dur := time.Since(issueTime) // issueTime is not a monotonic-clock, the server time may change a lot to an early time.
-			if dur >= -CsrfTokenRegenerationInterval && dur <= CsrfTokenRegenerationInterval {
-				c.token = cookieToken
-				needsNew = false
-			}
-		}
-	}
-
-	if needsNew {
-		c.token = GenerateCsrfToken(c.opt.Secret, c.id, "POST", time.Now())
-		ctx.Resp.Header().Add("Set-Cookie", newCsrfCookie(&c.opt, c.token).String())
-	}
-
-	ctx.Data["CsrfToken"] = c.token
-	ctx.Data["CsrfTokenHtml"] = template.HTML(`<input type="hidden" name="_csrf" value="` + template.HTMLEscapeString(c.token) + `">`)
-}
-
-func (c *csrfProtector) validateToken(ctx *Context, token string) {
-	if !ValidCsrfToken(token, c.opt.Secret, c.id, "POST", time.Now()) {
-		c.DeleteCookie(ctx)
-		// currently, there should be no access to the APIPath with CSRF token. because templates shouldn't use the `/api/` endpoints.
-		// FIXME: distinguish what the response is for: HTML (web page) or JSON (fetch)
-		http.Error(ctx.Resp, "Invalid CSRF token.", http.StatusBadRequest)
-	}
-}
-
-// Validate should be used as a per route middleware. It attempts to get a token from an "X-Csrf-Token"
-// HTTP header and then a "_csrf" form value. If one of these is found, the token will be validated.
-// If this validation fails, http.StatusBadRequest is sent.
-func (c *csrfProtector) Validate(ctx *Context) {
-	if token := ctx.Req.Header.Get(CsrfHeaderName); token != "" {
-		c.validateToken(ctx, token)
-		return
-	}
-	if token := ctx.Req.FormValue(CsrfFormName); token != "" {
-		c.validateToken(ctx, token)
-		return
-	}
-	c.validateToken(ctx, "") // no csrf token, use an empty token to respond error
-}
-
-func (c *csrfProtector) DeleteCookie(ctx *Context) {
-	cookie := newCsrfCookie(&c.opt, "")
-	cookie.MaxAge = -1
-	ctx.Resp.Header().Add("Set-Cookie", cookie.String())
-}
diff --git a/services/context/xsrf.go b/services/context/xsrf.go
deleted file mode 100644
index 15e36d1859859..0000000000000
--- a/services/context/xsrf.go
+++ /dev/null
@@ -1,99 +0,0 @@
-// Copyright 2012 Google Inc. All Rights Reserved.
-// Copyright 2014 The Macaron Authors
-// Copyright 2020 The Gitea Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-// SPDX-License-Identifier: Apache-2.0
-
-package context
-
-import (
-	"bytes"
-	"crypto/hmac"
-	"crypto/sha1"
-	"crypto/subtle"
-	"encoding/base64"
-	"fmt"
-	"strconv"
-	"strings"
-	"time"
-)
-
-// CsrfTokenTimeout represents the duration that XSRF tokens are valid.
-// It is exported so clients may set cookie timeouts that match generated tokens.
-const CsrfTokenTimeout = 24 * time.Hour
-
-// CsrfTokenRegenerationInterval is the interval between token generations, old tokens are still valid before CsrfTokenTimeout
-var CsrfTokenRegenerationInterval = 10 * time.Minute
-
-var csrfTokenSep = []byte(":")
-
-// GenerateCsrfToken returns a URL-safe secure XSRF token that expires in CsrfTokenTimeout hours.
-// key is a secret key for your application.
-// userID is a unique identifier for the user.
-// actionID is the action the user is taking (e.g. POSTing to a particular path).
-func GenerateCsrfToken(key, userID, actionID string, now time.Time) string {
-	nowUnixNano := now.UnixNano()
-	nowUnixNanoStr := strconv.FormatInt(nowUnixNano, 10)
-	h := hmac.New(sha1.New, []byte(key))
-	h.Write([]byte(strings.ReplaceAll(userID, ":", "_")))
-	h.Write(csrfTokenSep)
-	h.Write([]byte(strings.ReplaceAll(actionID, ":", "_")))
-	h.Write(csrfTokenSep)
-	h.Write([]byte(nowUnixNanoStr))
-	tok := fmt.Sprintf("%s:%s", h.Sum(nil), nowUnixNanoStr)
-	return base64.RawURLEncoding.EncodeToString([]byte(tok))
-}
-
-func ParseCsrfToken(token string) (issueTime time.Time, ok bool) {
-	data, err := base64.RawURLEncoding.DecodeString(token)
-	if err != nil {
-		return time.Time{}, false
-	}
-
-	pos := bytes.LastIndex(data, csrfTokenSep)
-	if pos == -1 {
-		return time.Time{}, false
-	}
-	nanos, err := strconv.ParseInt(string(data[pos+1:]), 10, 64)
-	if err != nil {
-		return time.Time{}, false
-	}
-	return time.Unix(0, nanos), true
-}
-
-// ValidCsrfToken returns true if token is a valid and unexpired token returned by Generate.
-func ValidCsrfToken(token, key, userID, actionID string, now time.Time) bool {
-	issueTime, ok := ParseCsrfToken(token)
-	if !ok {
-		return false
-	}
-
-	// Check that the token is not expired.
-	if now.Sub(issueTime) >= CsrfTokenTimeout {
-		return false
-	}
-
-	// Check that the token is not from the future.
-	// Allow 1-minute grace period in case the token is being verified on a
-	// machine whose clock is behind the machine that issued the token.
-	if issueTime.After(now.Add(1 * time.Minute)) {
-		return false
-	}
-
-	expected := GenerateCsrfToken(key, userID, actionID, issueTime)
-
-	// Check that the token matches the expected value.
-	// Use constant time comparison to avoid timing attacks.
-	return subtle.ConstantTimeCompare([]byte(token), []byte(expected)) == 1
-}
diff --git a/services/context/xsrf_test.go b/services/context/xsrf_test.go
deleted file mode 100644
index 21cda5d5d46e4..0000000000000
--- a/services/context/xsrf_test.go
+++ /dev/null
@@ -1,91 +0,0 @@
-// Copyright 2012 Google Inc. All Rights Reserved.
-// Copyright 2014 The Macaron Authors
-// Copyright 2020 The Gitea Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-// SPDX-License-Identifier: Apache-2.0
-
-package context
-
-import (
-	"encoding/base64"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-)
-
-const (
-	key      = "quay"
-	userID   = "12345678"
-	actionID = "POST /form"
-)
-
-var (
-	now              = time.Now()
-	oneMinuteFromNow = now.Add(1 * time.Minute)
-)
-
-func Test_ValidToken(t *testing.T) {
-	t.Run("Validate token", func(t *testing.T) {
-		tok := GenerateCsrfToken(key, userID, actionID, now)
-		assert.True(t, ValidCsrfToken(tok, key, userID, actionID, oneMinuteFromNow))
-		assert.True(t, ValidCsrfToken(tok, key, userID, actionID, now.Add(CsrfTokenTimeout-1*time.Nanosecond)))
-		assert.True(t, ValidCsrfToken(tok, key, userID, actionID, now.Add(-1*time.Minute)))
-	})
-}
-
-// Test_SeparatorReplacement tests that separators are being correctly substituted
-func Test_SeparatorReplacement(t *testing.T) {
-	t.Run("Test two separator replacements", func(t *testing.T) {
-		assert.NotEqual(t, GenerateCsrfToken("foo:bar", "baz", "wah", now),
-			GenerateCsrfToken("foo", "bar:baz", "wah", now))
-	})
-}
-
-func Test_InvalidToken(t *testing.T) {
-	t.Run("Test invalid tokens", func(t *testing.T) {
-		invalidTokenTests := []struct {
-			name, key, userID, actionID string
-			t                           time.Time
-		}{
-			{"Bad key", "foobar", userID, actionID, oneMinuteFromNow},
-			{"Bad userID", key, "foobar", actionID, oneMinuteFromNow},
-			{"Bad actionID", key, userID, "foobar", oneMinuteFromNow},
-			{"Expired", key, userID, actionID, now.Add(CsrfTokenTimeout)},
-			{"More than 1 minute from the future", key, userID, actionID, now.Add(-1*time.Nanosecond - 1*time.Minute)},
-		}
-
-		tok := GenerateCsrfToken(key, userID, actionID, now)
-		for _, itt := range invalidTokenTests {
-			assert.False(t, ValidCsrfToken(tok, itt.key, itt.userID, itt.actionID, itt.t))
-		}
-	})
-}
-
-// Test_ValidateBadData primarily tests that no unexpected panics are triggered during parsing
-func Test_ValidateBadData(t *testing.T) {
-	t.Run("Validate bad data", func(t *testing.T) {
-		badDataTests := []struct {
-			name, tok string
-		}{
-			{"Invalid Base64", "ASDab24(@)$*=="},
-			{"No delimiter", base64.URLEncoding.EncodeToString([]byte("foobar12345678"))},
-			{"Invalid time", base64.URLEncoding.EncodeToString([]byte("foobar:foobar"))},
-		}
-
-		for _, bdt := range badDataTests {
-			assert.False(t, ValidCsrfToken(bdt.tok, key, userID, actionID, oneMinuteFromNow))
-		}
-	})
-}
diff --git a/templates/admin/auth/edit.tmpl b/templates/admin/auth/edit.tmpl
index 7b96b4e94fd2b..d29a52b76bde8 100644
--- a/templates/admin/auth/edit.tmpl
+++ b/templates/admin/auth/edit.tmpl
@@ -6,7 +6,6 @@
 		<div class="ui attached segment">
 			<form class="ui form" action="{{.Link}}" method="post">
 				{{template "base/disable_form_autofill"}}
-				{{.CsrfTokenHtml}}
 				<input type="hidden" name="id" value="{{.Source.ID}}">
 				<div class="inline field">
 					<label>{{ctx.Locale.Tr "admin.auths.auth_type"}}</label>
diff --git a/templates/admin/auth/new.tmpl b/templates/admin/auth/new.tmpl
index be4995c7846ce..29eea06f55674 100644
--- a/templates/admin/auth/new.tmpl
+++ b/templates/admin/auth/new.tmpl
@@ -6,7 +6,6 @@
 		<div class="ui attached segment">
 			<form class="ui form" action="{{.Link}}" method="post">
 				{{template "base/disable_form_autofill"}}
-				{{.CsrfTokenHtml}}
 				<!-- Types and name -->
 				<div class="inline required field {{if .Err_Type}}error{{end}}">
 					<label>{{ctx.Locale.Tr "admin.auths.auth_type"}}</label>
diff --git a/templates/admin/config.tmpl b/templates/admin/config.tmpl
index 080b2cd3d6bab..57631fd9c68e7 100644
--- a/templates/admin/config.tmpl
+++ b/templates/admin/config.tmpl
@@ -228,7 +228,6 @@
 					<dt class="tw-py-1 tw-flex tw-items-center">{{ctx.Locale.Tr "admin.config.send_test_mail"}}</dt>
 					<dd class="tw-py-0">
 						<form class="ui form ignore-dirty" action="{{AppSubUrl}}/-/admin/config/test_mail" method="post">
-							{{.CsrfTokenHtml}}
 							<div class="ui tiny input">
 								<input type="email" name="email" placeholder="{{ctx.Locale.Tr "admin.config.test_email_placeholder"}}" size="29" required>
 							</div>
@@ -260,7 +259,6 @@
 				<dt class="tw-py-1 tw-flex tw-items-center">{{ctx.Locale.Tr "admin.config.cache_test"}}</dt>
 				<dd class="tw-py-0">
 					<form class="ui form ignore-dirty" action="{{AppSubUrl}}/-/admin/config/test_cache" method="post">
-						{{.CsrfTokenHtml}}
 						<button class="ui tiny primary button">{{ctx.Locale.Tr "test"}}</button>
 					</form>
 				</dd>
diff --git a/templates/admin/cron.tmpl b/templates/admin/cron.tmpl
index 309cbce814d40..4d01ce51eb6d9 100644
--- a/templates/admin/cron.tmpl
+++ b/templates/admin/cron.tmpl
@@ -32,7 +32,6 @@
 				</tbody>
 			</table>
 			<input type="hidden" name="from" value="monitor">
-			{{.CsrfTokenHtml}}
 		</form>
 	</div>
 </div>
diff --git a/templates/admin/dashboard.tmpl b/templates/admin/dashboard.tmpl
index 2426a43b154d9..834c56672f04a 100644
--- a/templates/admin/dashboard.tmpl
+++ b/templates/admin/dashboard.tmpl
@@ -10,7 +10,6 @@
 		</h4>
 		<div class="ui attached table segment">
 			<form method="post" action="{{AppSubUrl}}/-/admin">
-				{{.CsrfTokenHtml}}
 				<table class="ui very basic table tw-mt-0 tw-px-4">
 					<tbody>
 						<tr>
diff --git a/templates/admin/emails/list.tmpl b/templates/admin/emails/list.tmpl
index b4335aeeec9f2..50e453916df88 100644
--- a/templates/admin/emails/list.tmpl
+++ b/templates/admin/emails/list.tmpl
@@ -83,8 +83,6 @@
 			<form class="content ui form" action="{{AppSubUrl}}/-/admin/emails/activate" method="post">
 				<p class="center">{{ctx.Locale.Tr "admin.emails.change_email_text"}}</p>
 
-				{{$.CsrfTokenHtml}}
-
 				<input type="hidden" name="sort" value="{{.SortType}}">
 				<input type="hidden" name="q" value="{{.Keyword}}">
 				<input type="hidden" name="is_primary" value="{{.IsPrimary}}">
diff --git a/templates/admin/notice.tmpl b/templates/admin/notice.tmpl
index 6231369d39f6d..0499b0adbb85f 100644
--- a/templates/admin/notice.tmpl
+++ b/templates/admin/notice.tmpl
@@ -34,7 +34,6 @@
 							<th></th>
 							<th colspan="5">
 								<form class="tw-float-right" method="post" action="{{AppSubUrl}}/-/admin/notices/empty">
-									{{.CsrfTokenHtml}}
 									<button type="submit" class="ui red small button">{{ctx.Locale.Tr "admin.notices.delete_all"}}</button>
 								</form>
 								<div class="ui floating upward dropdown small button">
diff --git a/templates/admin/packages/list.tmpl b/templates/admin/packages/list.tmpl
index 4817f2681b4d6..4d458f48fbadc 100644
--- a/templates/admin/packages/list.tmpl
+++ b/templates/admin/packages/list.tmpl
@@ -6,7 +6,6 @@
 			{{ctx.Locale.Tr "admin.packages.unreferenced_size" (FileSize .TotalUnreferencedBlobSize)}})
 			<div class="ui right">
 				<form method="post" action="{{AppSubUrl}}/-/admin/packages/cleanup">
-					{{.CsrfTokenHtml}}
 					<button class="ui primary tiny button">{{ctx.Locale.Tr "admin.packages.cleanup"}}</button>
 				</form>
 			</div>
@@ -90,7 +89,6 @@
 	</div>
 
 <form class="ui small modal form-fetch-action" method="post" id="admin-package-delete-modal">
-	{{.CsrfTokenHtml}}
 	<div class="header">{{svg "octicon-trash"}} {{ctx.Locale.Tr "packages.settings.delete"}}</div>
 	<div class="content">
 		{{ctx.Locale.Tr "packages.settings.delete.notice" (HTMLFormat `<span class="%s"></span>` "package-name") (HTMLFormat `<span class="%s"></span>` "package-version")}}
diff --git a/templates/admin/queue_manage.tmpl b/templates/admin/queue_manage.tmpl
index dc0196fc6a3a3..a793fe1350a6e 100644
--- a/templates/admin/queue_manage.tmpl
+++ b/templates/admin/queue_manage.tmpl
@@ -31,7 +31,6 @@
 							{{else}}
 								{{$sum}}
 								<form action="{{$.Link}}/remove-all-items" method="post" class="tw-inline-block tw-ml-4">
-									{{$.CsrfTokenHtml}}
 									<button class="ui tiny basic red button">{{ctx.Locale.Tr "admin.monitor.queue.settings.remove_all_items"}}</button>
 								</form>
 							{{end}}
@@ -47,7 +46,6 @@
 		<div class="ui attached segment">
 			<p>{{ctx.Locale.Tr "admin.monitor.queue.settings.desc"}}</p>
 			<form method="post" action="{{.Link}}/set">
-				{{$.CsrfTokenHtml}}
 				<div class="ui form">
 					<div class="inline field">
 						<label for="max-number">{{ctx.Locale.Tr "admin.monitor.queue.settings.maxnumberworkers"}}</label>
diff --git a/templates/admin/repo/list.tmpl b/templates/admin/repo/list.tmpl
index 767d00fa741d7..f21e5bfef2249 100644
--- a/templates/admin/repo/list.tmpl
+++ b/templates/admin/repo/list.tmpl
@@ -102,7 +102,6 @@
 	</div>
 
 <form class="ui small modal form-fetch-action" id="admin-repo-delete-modal" method="post">
-	{{.CsrfTokenHtml}}
 	<div class="header">{{svg "octicon-trash"}} {{ctx.Locale.Tr "repo.settings.delete"}}</div>
 	<div class="content">
 		<p>{{ctx.Locale.Tr "repo.settings.delete_desc"}}</p>
diff --git a/templates/admin/repo/unadopted.tmpl b/templates/admin/repo/unadopted.tmpl
index 6f26fa529159a..54b76c08bca92 100644
--- a/templates/admin/repo/unadopted.tmpl
+++ b/templates/admin/repo/unadopted.tmpl
@@ -32,7 +32,6 @@
 											<p>{{ctx.Locale.Tr "repo.adopt_preexisting_content" $dir}}</p>
 										</div>
 										<form class="ui form" method="post" action="{{AppSubUrl}}/-/admin/repos/unadopted">
-											{{$.CsrfTokenHtml}}
 											<input type="hidden" name="id" value="{{$dir}}">
 											<input type="hidden" name="action" value="adopt">
 											<input type="hidden" name="q" value="{{$.Keyword}}">
@@ -49,7 +48,6 @@
 											<p>{{ctx.Locale.Tr "repo.delete_preexisting_content" $dir}}</p>
 										</div>
 										<form class="ui form" method="post" action="{{AppSubUrl}}/-/admin/repos/unadopted">
-											{{$.CsrfTokenHtml}}
 											<input type="hidden" name="id" value="{{$dir}}">
 											<input type="hidden" name="action" value="delete">
 											<input type="hidden" name="q" value="{{$.Keyword}}">
diff --git a/templates/admin/user/edit.tmpl b/templates/admin/user/edit.tmpl
index 5a11d5bb72f20..83eac64fa04be 100644
--- a/templates/admin/user/edit.tmpl
+++ b/templates/admin/user/edit.tmpl
@@ -6,7 +6,6 @@
 		<div class="ui attached segment">
 			<form class="ui form" action="./edit" method="post">
 				{{template "base/disable_form_autofill"}}
-				{{.CsrfTokenHtml}}
 				<div class="field {{if .Err_UserName}}error{{end}}">
 					<label for="user_name">{{ctx.Locale.Tr "username"}}</label>
 					<input id="user_name" name="user_name" value="{{.User.Name}}" maxlength="40">
@@ -173,7 +172,6 @@
 		</h4>
 		<div class="ui attached segment">
 			<form class="ui form" action="./avatar" method="post" enctype="multipart/form-data">
-				{{.CsrfTokenHtml}}
 				{{if not .DisableGravatar}}
 				<div class="inline field">
 					<div class="ui radio checkbox">
@@ -214,7 +212,6 @@
 	<form class="ui form" method="post" action="./delete">
 		<div class="content">
 			<p>{{ctx.Locale.Tr "settings.delete_account_desc"}}</p>
-			{{$.CsrfTokenHtml}}
 			<div class="field">
 				<div class="ui checkbox">
 					<label for="purge">{{ctx.Locale.Tr "admin.users.purge"}}</label>
diff --git a/templates/admin/user/new.tmpl b/templates/admin/user/new.tmpl
index b04ebc4b60070..8af7f116a175e 100644
--- a/templates/admin/user/new.tmpl
+++ b/templates/admin/user/new.tmpl
@@ -6,7 +6,6 @@
 		<div class="ui attached segment">
 			<form class="ui form" action="{{.Link}}" method="post">
 				{{template "base/disable_form_autofill"}}
-				{{.CsrfTokenHtml}}
 				<!-- Types and name -->
 				<div class="inline required field {{if .Err_LoginType}}error{{end}}">
 					<label>{{ctx.Locale.Tr "admin.users.auth_source"}}</label>
diff --git a/templates/base/head.tmpl b/templates/base/head.tmpl
index 2a2109beac708..3015d23eb77aa 100644
--- a/templates/base/head.tmpl
+++ b/templates/base/head.tmpl
@@ -23,7 +23,7 @@
 	{{template "base/head_script" .}}
 	{{template "custom/header" .}}
 </head>
-<body hx-headers='{"x-csrf-token": "{{.CsrfToken}}"}' hx-swap="outerHTML" hx-ext="morph" hx-push-url="false">
+<body hx-swap="outerHTML" hx-ext="morph" hx-push-url="false">
 	{{template "custom/body_outer_pre" .}}
 
 	<div class="full height">
diff --git a/templates/base/head_navbar.tmpl b/templates/base/head_navbar.tmpl
index 8cb72d6f98e69..917718d2c35f6 100644
--- a/templates/base/head_navbar.tmpl
+++ b/templates/base/head_navbar.tmpl
@@ -158,7 +158,6 @@
 				</a>
 				<div class="tw-flex tw-gap-1">
 					<form class="stopwatch-commit form-fetch-action" method="post" action="{{$activeStopwatch.IssueLink}}/times/stopwatch/stop">
-						{{.CsrfTokenHtml}}
 						<button
 							type="submit"
 							class="ui button mini compact basic icon tw-mr-0"
@@ -166,7 +165,6 @@
 						>{{svg "octicon-square-fill"}}</button>
 					</form>
 					<form class="stopwatch-cancel form-fetch-action" method="post" action="{{$activeStopwatch.IssueLink}}/times/stopwatch/cancel">
-						{{.CsrfTokenHtml}}
 						<button
 							type="submit"
 							class="ui button mini compact basic icon tw-mr-0"
diff --git a/templates/base/head_script.tmpl b/templates/base/head_script.tmpl
index daef7afd289d7..9d7173f289bec 100644
--- a/templates/base/head_script.tmpl
+++ b/templates/base/head_script.tmpl
@@ -13,7 +13,6 @@ If you introduce mistakes in it, Gitea JavaScript code wouldn't run correctly.
 		assetUrlPrefix: '{{AssetUrlPrefix}}',
 		runModeIsProd: {{.RunModeIsProd}},
 		customEmojis: {{CustomEmojis}},
-		csrfToken: '{{.CsrfToken}}',
 		pageData: {{.PageData}},
 		notificationSettings: {{NotificationSettings}}, {{/*a map provided by NewFuncMap in helper.go*/}}
 		enableTimeTracking: {{EnableTimetracking}},
diff --git a/templates/org/create.tmpl b/templates/org/create.tmpl
index 2d6dca5440ca9..60d659c8cb87c 100644
--- a/templates/org/create.tmpl
+++ b/templates/org/create.tmpl
@@ -7,7 +7,6 @@
 		</h3>
 		<div class="ui attached segment">
 			<form class="ui form left-right-form" action="{{.Link}}" method="post">
-				{{.CsrfTokenHtml}}
 				<div class="inline required field {{if .Err_OrgName}}error{{end}}">
 					<label for="org_name">{{ctx.Locale.Tr "org.org_name_holder"}}</label>
 					<input id="org_name" name="org_name" value="{{.org_name}}" autofocus required maxlength="40">
diff --git a/templates/org/settings/options.tmpl b/templates/org/settings/options.tmpl
index f2d4ee0b28e47..2c17e13937656 100644
--- a/templates/org/settings/options.tmpl
+++ b/templates/org/settings/options.tmpl
@@ -6,7 +6,6 @@
 	</h4>
 	<div class="ui attached segment">
 		<form class="ui form" action="{{.Link}}" method="post">
-			{{.CsrfTokenHtml}}
 			<div class="field {{if .Err_FullName}}error{{end}}">
 				<label for="full_name">{{ctx.Locale.Tr "org.org_full_name_holder"}}</label>
 				<input id="full_name" name="full_name" value="{{.Org.FullName}}" maxlength="100">
@@ -57,7 +56,6 @@
 		<div class="divider"></div>
 
 		<form class="ui form" action="{{.Link}}/avatar" method="post" enctype="multipart/form-data">
-			{{.CsrfTokenHtml}}
 			<div class="inline field">
 				{{template "shared/avatar_upload_crop" dict "LabelText" (ctx.Locale.Tr "settings.choose_new_avatar")}}
 			</div>
diff --git a/templates/org/settings/options_dangerzone.tmpl b/templates/org/settings/options_dangerzone.tmpl
index d01252e3e1bbc..036ddea230b7d 100644
--- a/templates/org/settings/options_dangerzone.tmpl
+++ b/templates/org/settings/options_dangerzone.tmpl
@@ -47,7 +47,6 @@
 			</ul>
 		</div>
 		<form class="ui form form-fetch-action" action="{{.Link}}/visibility" method="post">
-			{{.CsrfTokenHtml}}
 			<input type="hidden" name="current_visibility" value="{{.CurrentVisibility}}">
 			<div class="tw-flex tw-flex-col tw-gap-3">
 				<label>{{ctx.Locale.Tr "org.settings.visibility"}}</label>
@@ -85,7 +84,6 @@
 			</ul>
 		</div>
 		<form class="ui form form-fetch-action" action="{{.Link}}/rename" method="post">
-			{{.CsrfTokenHtml}}
 			<div class="field">
 				<label>
 					{{ctx.Locale.Tr "org.settings.name_confirm"}}
@@ -124,7 +122,6 @@
 			</ul>
 		</div>
 		<form class="ui form form-fetch-action" action="{{.Link}}/delete" method="post">
-			{{.CsrfTokenHtml}}
 			<div class="field">
 				<label>
 					{{ctx.Locale.Tr "org.settings.name_confirm"}}
diff --git a/templates/org/team/invite.tmpl b/templates/org/team/invite.tmpl
index 1167828d14717..14a97ae659d0d 100644
--- a/templates/org/team/invite.tmpl
+++ b/templates/org/team/invite.tmpl
@@ -13,7 +13,6 @@
 			</div>
 			<div class="extra content">
 				<form class="ui form" action="" method="post">
-					{{.CsrfTokenHtml}}
 					<button class="fluid ui primary button">{{ctx.Locale.Tr "org.teams.join"}}</button>
 				</form>
 			</div>
diff --git a/templates/org/team/members.tmpl b/templates/org/team/members.tmpl
index 4bc063f90c529..f7290b2f1354b 100644
--- a/templates/org/team/members.tmpl
+++ b/templates/org/team/members.tmpl
@@ -10,7 +10,6 @@
 				{{if .IsOrganizationOwner}}
 					<div class="ui top attached segment">
 						<form class="ui form ignore-dirty tw-flex tw-flex-wrap tw-gap-2" action="{{$.OrgLink}}/teams/{{$.Team.LowerName | PathEscape}}/action/add" method="post">
-							{{.CsrfTokenHtml}}
 							<input type="hidden" name="uid" value="{{.SignedUser.ID}}">
 							<div id="search-user-box" class="ui search tw-mr-2"{{if .IsEmailInviteEnabled}} data-allow-email="true" data-allow-email-description="{{ctx.Locale.Tr "org.teams.invite_team_member" $.Team.Name}}"{{end}}>
 								<div class="ui input">
@@ -62,7 +61,6 @@
 								</div>
 								<div class="flex-item-trailing">
 									<form action="{{$.OrgLink}}/teams/{{$.Team.LowerName | PathEscape}}/action/remove_invite" method="post">
-										{{$.CsrfTokenHtml}}
 										<input type="hidden" name="iid" value="{{.ID}}">
 										<button class="ui red button">{{ctx.Locale.Tr "org.members.remove"}}</button>
 									</form>
diff --git a/templates/org/team/new.tmpl b/templates/org/team/new.tmpl
index 67529ddfba963..abf728fc54416 100644
--- a/templates/org/team/new.tmpl
+++ b/templates/org/team/new.tmpl
@@ -5,7 +5,6 @@
 		<div class="ui grid">
 			<div class="column">
 				<form class="ui form" action="{{if .PageIsOrgTeamsNew}}{{.OrgLink}}/teams/new{{else}}{{.OrgLink}}/teams/{{.Team.LowerName | PathEscape}}/edit{{end}}" data-delete-url="{{.OrgLink}}/teams/{{.Team.LowerName | PathEscape}}/delete" method="post">
-					{{.CsrfTokenHtml}}
 					<h3 class="ui top attached header">
 						{{if .PageIsOrgTeamsNew}}{{ctx.Locale.Tr "org.create_new_team"}}{{else}}{{ctx.Locale.Tr "org.teams.settings"}}{{end}}
 					</h3>
diff --git a/templates/org/team/repositories.tmpl b/templates/org/team/repositories.tmpl
index 2f38071e89f4e..b7a816b85241b 100644
--- a/templates/org/team/repositories.tmpl
+++ b/templates/org/team/repositories.tmpl
@@ -11,7 +11,6 @@
 				{{if $canAddRemove}}
 					<div class="ui top attached segment tw-flex tw-flex-wrap tw-gap-2">
 						<form class="ui form ignore-dirty tw-flex-1 tw-flex" action="{{$.OrgLink}}/teams/{{$.Team.LowerName | PathEscape}}/action/repo/add" method="post">
-							{{.CsrfTokenHtml}}
 							<div data-global-init="initSearchRepoBox" data-uid="{{.Org.ID}}" class="ui search">
 								<div class="ui input">
 									<input class="prompt" name="repo_name" placeholder="{{ctx.Locale.Tr "search.repo_kind"}}" autocomplete="off" required>
@@ -40,7 +39,6 @@
 								<div class="flex-item-trailing">
 									{{if $canAddRemove}}
 										<form method="post" action="{{$.OrgLink}}/teams/{{$.Team.LowerName | PathEscape}}/action/repo/remove">
-											{{$.CsrfTokenHtml}}
 											<button type="submit" class="ui red small button" name="repoid" value="{{.ID}}">{{ctx.Locale.Tr "remove"}}</button>
 										</form>
 									{{end}}
diff --git a/templates/org/team/sidebar.tmpl b/templates/org/team/sidebar.tmpl
index 6dd5cb3eebb8c..00800a3d1f519 100644
--- a/templates/org/team/sidebar.tmpl
+++ b/templates/org/team/sidebar.tmpl
@@ -10,7 +10,6 @@
 				</form>
 			{{else if .IsOrganizationOwner}}
 				<form method="post" action="{{.OrgLink}}/teams/{{.Team.LowerName | PathEscape}}/action/join">
-					{{$.CsrfTokenHtml}}
 					<input type="hidden" name="page" value="team">
 					<button type="submit" class="ui primary tiny button" name="uid" value="{{$.SignedUser.ID}}">{{ctx.Locale.Tr "org.teams.join"}}</button>
 				</form>
diff --git a/templates/org/team/teams.tmpl b/templates/org/team/teams.tmpl
index cdd2789128dfa..50f4f7e97d567 100644
--- a/templates/org/team/teams.tmpl
+++ b/templates/org/team/teams.tmpl
@@ -25,7 +25,6 @@
 								</form>
 							{{else if $.IsOrganizationOwner}}
 								<form method="post" action="{{$.OrgLink}}/teams/{{.LowerName | PathEscape}}/action/join">
-									{{$.CsrfTokenHtml}}
 									<button type="submit" class="ui primary tiny button" name="uid" value="{{$.SignedUser.ID}}">{{ctx.Locale.Tr "org.teams.join"}}</button>
 								</form>
 							{{end}}
diff --git a/templates/package/settings.tmpl b/templates/package/settings.tmpl
index 9fc7b859d4e3c..0124f268207e2 100644
--- a/templates/package/settings.tmpl
+++ b/templates/package/settings.tmpl
@@ -17,7 +17,6 @@
 		<div class="ui attached segment">
 			<p>{{ctx.Locale.Tr "packages.settings.link.description"}}</p>
 			<form class="ui form form-fetch-action ignore-dirty flex-text-block" action="{{.Link}}" method="post">
-				{{.CsrfTokenHtml}}
 				<input type="hidden" name="action" value="link">
 				<div data-global-init="initSearchRepoBox" class="ui search" data-uid="{{.PackageDescriptor.Owner.ID}}">
 					<div class="ui input">
@@ -49,7 +48,6 @@
 								{{ctx.Locale.Tr "packages.settings.delete.notice" .PackageDescriptor.Package.Name .PackageDescriptor.Version.Version}}
 							</div>
 							<form class="ui form" action="{{.Link}}" method="post">
-								{{.CsrfTokenHtml}}
 								<input type="hidden" name="action" value="delete">
 								{{template "base/modal_actions_confirm" .}}
 							</form>
diff --git a/templates/package/shared/cargo.tmpl b/templates/package/shared/cargo.tmpl
index 7652231465599..a7dd1d8c18a54 100644
--- a/templates/package/shared/cargo.tmpl
+++ b/templates/package/shared/cargo.tmpl
@@ -7,14 +7,12 @@
 			<label>{{ctx.Locale.Tr "packages.owner.settings.cargo.initialize.description"}}</label>
 		</div>
 		<form class="field" action="{{.Link}}/cargo/initialize" method="post">
-			{{.CsrfTokenHtml}}
 			<button class="ui primary button">{{ctx.Locale.Tr "packages.owner.settings.cargo.initialize"}}</button>
 		</form>
 		<div class="field">
 			<label>{{ctx.Locale.Tr "packages.owner.settings.cargo.rebuild.description"}}</label>
 		</div>
 		<form class="field" action="{{.Link}}/cargo/rebuild" method="post">
-			{{.CsrfTokenHtml}}
 			<button class="ui primary button">{{ctx.Locale.Tr "packages.owner.settings.cargo.rebuild"}}</button>
 		</form>
 		<div class="field">
diff --git a/templates/package/shared/cleanup_rules/edit.tmpl b/templates/package/shared/cleanup_rules/edit.tmpl
index 138a90791c387..e855d5e91a892 100644
--- a/templates/package/shared/cleanup_rules/edit.tmpl
+++ b/templates/package/shared/cleanup_rules/edit.tmpl
@@ -1,7 +1,6 @@
 <h4 class="ui top attached header">{{if .IsEditRule}}{{ctx.Locale.Tr "packages.owner.settings.cleanuprules.edit"}}{{else}}{{ctx.Locale.Tr "packages.owner.settings.cleanuprules.add"}}{{end}}</h4>
 <div class="ui attached segment">
 	<form class="ui form" action="{{.Link}}" method="post">
-		{{.CsrfTokenHtml}}
 		<input name="id" type="hidden" value="{{.CleanupRule.ID}}">
 		<div class="field">
 			<div class="ui checkbox">
diff --git a/templates/projects/new.tmpl b/templates/projects/new.tmpl
index e1d9219170de2..b043e6250936a 100644
--- a/templates/projects/new.tmpl
+++ b/templates/projects/new.tmpl
@@ -9,7 +9,6 @@
 </h2>
 {{template "base/alert" .}}
 <form class="ui form" action="{{.Link}}" method="post">
-	{{.CsrfTokenHtml}}
 	<div>
 		<input type="hidden" id="redirect" name="redirect" value="{{.redirect}}">
 		<div class="field {{if .Err_Title}}error{{end}}">
diff --git a/templates/repo/actions/workflow_dispatch.tmpl b/templates/repo/actions/workflow_dispatch.tmpl
index 540bbe916215c..5a69cb0ba0862 100644
--- a/templates/repo/actions/workflow_dispatch.tmpl
+++ b/templates/repo/actions/workflow_dispatch.tmpl
@@ -5,7 +5,6 @@
 <div id="runWorkflowDispatchModal" class="ui tiny modal">
 	<div class="content">
 		<form id="runWorkflowDispatchForm" class="ui form" action="{{$.Link}}/run?workflow={{$.CurWorkflow}}&actor={{$.CurActor}}&status={{.Status}}" method="post">
-			{{.CsrfTokenHtml}}
 			<div class="ui inline field required tw-flex tw-items-center">
 				<span class="ui inline required field">
 					<label>{{ctx.Locale.Tr "actions.workflow.from_ref"}}:</label>
diff --git a/templates/repo/branch/list.tmpl b/templates/repo/branch/list.tmpl
index 28a6bf6b0fbe0..aa9e856fcfd20 100644
--- a/templates/repo/branch/list.tmpl
+++ b/templates/repo/branch/list.tmpl
@@ -230,7 +230,6 @@
 
 	<form class="ui form" id="create-branch-form" action="" data-base-action="{{.Link}}/_new/branch/" method="post">
 		<div class="content">
-			{{.CsrfTokenHtml}}
 			<div class="field">
 				{{ctx.Locale.Tr "repo.branch.create_new_branch"}}
 				<span id="modal-create-branch-from-span"></span>
@@ -250,7 +249,6 @@
 	</div>
 	<form class="ui form" action="{{$.Repository.Link}}/branches/rename" method="post">
 		<div class="content">
-			{{.CsrfTokenHtml}}
 			<div class="field default-branch-warning">
 				<span class="text red">{{ctx.Locale.Tr "repo.branch.warning_rename_default_branch"}}</span>
 			</div>
diff --git a/templates/repo/commit_page.tmpl b/templates/repo/commit_page.tmpl
index 68ccf9d275f4a..20f3f59e905ed 100644
--- a/templates/repo/commit_page.tmpl
+++ b/templates/repo/commit_page.tmpl
@@ -72,7 +72,6 @@
 										</div>
 										<div class="content">
 											<form class="ui form" id="create-branch-form" action="" data-base-action="{{.RepoLink}}/branches/_new/commit/" method="post">
-												{{.CsrfTokenHtml}}
 												<div class="field">
 													<label>
 														{{ctx.Locale.Tr "repo.branch.new_branch_from" (HTMLFormat `<span class="%s" id="%s"></span>` "text" "modal-create-branch-from-span")}}
@@ -96,7 +95,6 @@
 										</div>
 										<div class="content">
 											<form class="ui form" id="create-tag-form" action="" data-base-action="{{.RepoLink}}/branches/_new/commit/" method="post">
-												{{.CsrfTokenHtml}}
 												<input type="hidden" name="create_tag" value="true">
 												<div class="field">
 													<label>
diff --git a/templates/repo/create.tmpl b/templates/repo/create.tmpl
index ada7e0c0920d6..850909289433e 100644
--- a/templates/repo/create.tmpl
+++ b/templates/repo/create.tmpl
@@ -8,7 +8,6 @@
 			{{template "base/alert" .}}
 			{{template "repo/create_helper" .}}
 			<form class="ui form left-right-form new-repo-form" action="{{.Link}}" method="post">
-				{{.CsrfTokenHtml}}
 				<div id="create-repo-error-message" class="ui negative message tw-text-center tw-hidden"></div>
 				<div class="inline required field {{if .Err_Owner}}error{{end}}">
 					<label>{{ctx.Locale.Tr "repo.owner"}}</label>
diff --git a/templates/repo/diff/comment_form.tmpl b/templates/repo/diff/comment_form.tmpl
index 58b675467c035..23de737292c74 100644
--- a/templates/repo/diff/comment_form.tmpl
+++ b/templates/repo/diff/comment_form.tmpl
@@ -1,6 +1,5 @@
 {{if and $.root.SignedUserID (not $.Repository.IsArchived)}}
 	<form class="ui form {{if $.hidden}}tw-hidden comment-form{{end}}" action="{{$.root.Issue.Link}}/files/reviews/comments" method="post">
-	{{$.root.CsrfTokenHtml}}
 		<input type="hidden" name="origin" value="{{if $.root.PageIsPullFiles}}diff{{else}}timeline{{end}}">
 		<input type="hidden" name="latest_commit_id" value="{{$.root.AfterCommitID}}">
 		<input type="hidden" name="side" value="{{if $.Side}}{{$.Side}}{{end}}">
diff --git a/templates/repo/diff/new_review.tmpl b/templates/repo/diff/new_review.tmpl
index 3bb01a139aae9..1ef32c1d8ae77 100644
--- a/templates/repo/diff/new_review.tmpl
+++ b/templates/repo/diff/new_review.tmpl
@@ -12,7 +12,6 @@
 <div class="review-box-panel tippy-target">
 	<div class="ui segment">
 		<form class="ui form form-fetch-action" action="{{.Link}}/reviews/submit" method="post">
-			{{.CsrfTokenHtml}}
 			<input type="hidden" name="commit_id" value="{{.AfterCommitID}}">
 			<div class="field tw-flex tw-items-center">
 				<div class="tw-flex-1">{{ctx.Locale.Tr "repo.diff.review.header"}}</div>
diff --git a/templates/repo/editor/cherry_pick.tmpl b/templates/repo/editor/cherry_pick.tmpl
index 7981fd076186a..94e538d2c06a2 100644
--- a/templates/repo/editor/cherry_pick.tmpl
+++ b/templates/repo/editor/cherry_pick.tmpl
@@ -4,7 +4,6 @@
 	<div class="ui container">
 		{{template "base/alert" .}}
 		<form class="ui edit form form-fetch-action" method="post" action="{{.CommitFormOptions.TargetFormAction}}">
-			{{.CsrfTokenHtml}}
 			{{template "repo/editor/common_top" .}}
 			<input type="hidden" name="revert" value="{{if eq .CherryPickType "revert"}}true{{else}}false{{end}}">
 			<div class="repo-editor-header">
diff --git a/templates/repo/editor/delete.tmpl b/templates/repo/editor/delete.tmpl
index 70769326a7c28..8f1f922626085 100644
--- a/templates/repo/editor/delete.tmpl
+++ b/templates/repo/editor/delete.tmpl
@@ -7,7 +7,6 @@
 			{{template "repo/view_file_tree" .}}
 			<div class="repo-view-content">
 				<form class="ui form form-fetch-action" method="post" action="{{.CommitFormOptions.TargetFormAction}}">
-					{{.CsrfTokenHtml}}
 					{{template "repo/editor/common_top" .}}
 					<div class="repo-editor-header">
 						{{/* although the UI isn't good enough, this header is necessary for the "left file tree view" toggle button, this button must exist */}}
diff --git a/templates/repo/editor/edit.tmpl b/templates/repo/editor/edit.tmpl
index e6b9c557700ab..008376ce165c6 100644
--- a/templates/repo/editor/edit.tmpl
+++ b/templates/repo/editor/edit.tmpl
@@ -10,7 +10,6 @@
 					data-text-empty-confirm-header="{{ctx.Locale.Tr "repo.editor.commit_empty_file_header"}}"
 					data-text-empty-confirm-content="{{ctx.Locale.Tr "repo.editor.commit_empty_file_text"}}"
 				>
-					{{.CsrfTokenHtml}}
 					{{template "repo/editor/common_top" .}}
 					<div class="repo-editor-header">
 						{{template "repo/view_file_tree_toggle_button" .}}
diff --git a/templates/repo/editor/fork.tmpl b/templates/repo/editor/fork.tmpl
index e28b2ba7a26c7..04bb8083b40e7 100644
--- a/templates/repo/editor/fork.tmpl
+++ b/templates/repo/editor/fork.tmpl
@@ -4,7 +4,6 @@
 	<div class="ui container">
 		{{template "base/alert" .}}
 		<form class="ui form form-fetch-action" method="post" action="{{.RepoLink}}/_fork/{{.BranchName | PathEscapeSegments}}">
-			{{.CsrfTokenHtml}}
 			<div class="tw-text-center">
 				<div class="tw-my-[40px]">
 					<h3>{{ctx.Locale.Tr "repo.editor.fork_create"}}</h3>
diff --git a/templates/repo/editor/patch.tmpl b/templates/repo/editor/patch.tmpl
index fa00edd92e77c..9b82bb855f631 100644
--- a/templates/repo/editor/patch.tmpl
+++ b/templates/repo/editor/patch.tmpl
@@ -7,7 +7,6 @@
 					data-text-empty-confirm-header="{{ctx.Locale.Tr "repo.editor.commit_empty_file_header"}}"
 					data-text-empty-confirm-content="{{ctx.Locale.Tr "repo.editor.commit_empty_file_text"}}"
 		>
-			{{.CsrfTokenHtml}}
 			{{template "repo/editor/common_top" .}}
 			<div class="repo-editor-header">
 				<div class="breadcrumb">
diff --git a/templates/repo/editor/upload.tmpl b/templates/repo/editor/upload.tmpl
index 847d6df88d757..0c81802a48bc3 100644
--- a/templates/repo/editor/upload.tmpl
+++ b/templates/repo/editor/upload.tmpl
@@ -7,7 +7,6 @@
 			{{template "repo/view_file_tree" .}}
 			<div class="repo-view-content">
 				<form class="ui comment form form-fetch-action" method="post" action="{{.CommitFormOptions.TargetFormAction}}">
-					{{.CsrfTokenHtml}}
 					{{template "repo/editor/common_top" .}}
 					<div class="repo-editor-header">
 						{{template "repo/view_file_tree_toggle_button" .}}
diff --git a/templates/repo/header.tmpl b/templates/repo/header.tmpl
index b61076ff4637e..a65d9b14f4b18 100644
--- a/templates/repo/header.tmpl
+++ b/templates/repo/header.tmpl
@@ -41,7 +41,6 @@
 				<div class="flex-text-block tw-flex-wrap">
 					{{if $.RepoTransfer}}
 						<form method="post" action="{{$.RepoLink}}/action/accept_transfer?redirect_to={{$.RepoLink}}">
-							{{$.CsrfTokenHtml}}
 							<div class="flex-text-inline" data-tooltip-content="{{if $.CanUserAcceptOrRejectTransfer}}{{ctx.Locale.Tr "repo.transfer.accept_desc" $.RepoTransfer.Recipient.DisplayName}}{{else}}{{ctx.Locale.Tr "repo.transfer.no_permission_to_accept"}}{{end}}">
 								<button type="submit" class="ui compact small basic button {{if $.CanUserAcceptOrRejectTransfer}}primary {{end}} ok small"{{if not $.CanUserAcceptOrRejectTransfer}} disabled{{end}}>
 									{{ctx.Locale.Tr "repo.transfer.accept"}}
@@ -49,7 +48,6 @@
 							</div>
 						</form>
 						<form method="post" action="{{$.RepoLink}}/action/reject_transfer?redirect_to={{$.RepoLink}}">
-							{{$.CsrfTokenHtml}}
 							<div class="flex-text-inline" data-tooltip-content="{{if $.CanUserAcceptOrRejectTransfer}}{{ctx.Locale.Tr "repo.transfer.reject_desc" $.RepoTransfer.Recipient.DisplayName}}{{else}}{{ctx.Locale.Tr "repo.transfer.no_permission_to_reject"}}{{end}}">
 								<button type="submit" class="ui compact small basic button {{if $.CanUserAcceptOrRejectTransfer}}red {{end}}ok small"{{if not $.CanUserAcceptOrRejectTransfer}} disabled{{end}}>
 									{{ctx.Locale.Tr "repo.transfer.reject"}}
diff --git a/templates/repo/issue/labels/label_edit_modal.tmpl b/templates/repo/issue/labels/label_edit_modal.tmpl
index ec57de2f3f3a0..373d752f03977 100644
--- a/templates/repo/issue/labels/label_edit_modal.tmpl
+++ b/templates/repo/issue/labels/label_edit_modal.tmpl
@@ -6,7 +6,6 @@
 	<div class="header"></div>
 	<div class="content">
 		<form class="ui form ignore-dirty form-fetch-action" method="post">
-			{{.CsrfTokenHtml}}
 			<input name="id" type="hidden">
 			<div class="required field">
 				<label for="name">{{ctx.Locale.Tr "repo.issues.label_title"}}</label>
diff --git a/templates/repo/issue/labels/label_load_template.tmpl b/templates/repo/issue/labels/label_load_template.tmpl
index 3cb2442a1d05e..87ac705a06e9d 100644
--- a/templates/repo/issue/labels/label_load_template.tmpl
+++ b/templates/repo/issue/labels/label_load_template.tmpl
@@ -2,7 +2,6 @@
 	<div class="twelve wide computer column">
 		<p>{{ctx.Locale.Tr "repo.issues.label_templates.info"}}</p>
 		<form class="ui form center" action="{{.Link}}/initialize" method="post">
-			{{.CsrfTokenHtml}}
 			<div class="field">
 				<div class="ui selection dropdown">
 					<input type="hidden" name="template_name" value="Default">
diff --git a/templates/repo/issue/milestone_new.tmpl b/templates/repo/issue/milestone_new.tmpl
index 9bcced6f5427f..afb757eb5a219 100644
--- a/templates/repo/issue/milestone_new.tmpl
+++ b/templates/repo/issue/milestone_new.tmpl
@@ -22,7 +22,6 @@
 		</h2>
 		{{template "base/alert" .}}
 		<form class="ui form" action="{{.Link}}" method="post">
-			{{.CsrfTokenHtml}}
 				<div class="field {{if .Err_Title}}error{{end}}">
 					<label>{{ctx.Locale.Tr "repo.milestones.title"}}</label>
 					<input name="title" placeholder="{{ctx.Locale.Tr "repo.milestones.title"}}" value="{{.title}}" autofocus required maxlength="50">
diff --git a/templates/repo/issue/new_form.tmpl b/templates/repo/issue/new_form.tmpl
index b63cbcfc0d147..e4c8008c19ff1 100644
--- a/templates/repo/issue/new_form.tmpl
+++ b/templates/repo/issue/new_form.tmpl
@@ -1,6 +1,5 @@
 {{template "base/alert" .}}
 <form class="issue-content ui comment form form-fetch-action" id="new-issue" action="{{.Link}}" method="post">
-	{{.CsrfTokenHtml}}
 	<div class="issue-content-left">
 		<div class="ui comments">
 			<div class="comment">
diff --git a/templates/repo/issue/sidebar/due_date.tmpl b/templates/repo/issue/sidebar/due_date.tmpl
index e6e19f6f86f5a..4209304115943 100644
--- a/templates/repo/issue/sidebar/due_date.tmpl
+++ b/templates/repo/issue/sidebar/due_date.tmpl
@@ -21,7 +21,6 @@
 		<form class="ui fluid action input issue-due-form form-fetch-action tw-mt-2 {{if .Issue.DeadlineUnix}}tw-hidden{{end}}"
 					method="post" action="{{AppSubUrl}}/{{PathEscape .Repository.Owner.Name}}/{{PathEscape .Repository.Name}}/issues/{{.Issue.Index}}/deadline"
 		>
-			{{$.CsrfTokenHtml}}
 			<input required type="date" name="deadline" placeholder="{{ctx.Locale.Tr "repo.issues.due_date_form"}}" {{if .Issue.DeadlineUnix}}value="{{.Issue.DeadlineUnix.FormatDate}}"{{end}}>
 			<button class="ui icon button">{{Iif .Issue.DeadlineUnix (svg "octicon-pencil") (svg "octicon-plus")}}</button>
 		</form>
diff --git a/templates/repo/issue/sidebar/issue_dependencies.tmpl b/templates/repo/issue/sidebar/issue_dependencies.tmpl
index bbae0119584b3..14d7bb8c6571d 100644
--- a/templates/repo/issue/sidebar/issue_dependencies.tmpl
+++ b/templates/repo/issue/sidebar/issue_dependencies.tmpl
@@ -110,7 +110,6 @@
 		{{if and .CanCreateIssueDependencies (not .Repository.IsArchived)}}
 			<div>
 				<form method="post" action="{{.Issue.Link}}/dependency/add" id="addDependencyForm">
-					{{$.CsrfTokenHtml}}
 					<div class="ui fluid action input">
 						<div class="ui search selection dropdown" id="new-dependency-drop-list" data-issue-id="{{.Issue.ID}}" data-issue-cross-repo-search="{{.AllowCrossRepositoryDependencies}}">
 							<input name="newDependency" type="hidden">
@@ -131,7 +130,6 @@
 		<form id="issue-remove-dependency-confirm" class="ui g-modal-confirm modal" method="post" action="{{.Issue.Link}}/dependency/delete">
 			<div class="header">{{svg "octicon-trash"}} {{ctx.Locale.Tr "repo.issues.dependency.remove_header"}}</div>
 			<div class="content">
-				{{$.CsrfTokenHtml}}
 				<input type="hidden" value="" name="removeDependencyID" class="remove-dependency-id">
 				<input type="hidden" value="" name="dependencyType" class="dependency-type">
 				<p>
diff --git a/templates/repo/issue/sidebar/issue_management.tmpl b/templates/repo/issue/sidebar/issue_management.tmpl
index 8876a5054ea27..efae665e11aae 100644
--- a/templates/repo/issue/sidebar/issue_management.tmpl
+++ b/templates/repo/issue/sidebar/issue_management.tmpl
@@ -4,7 +4,6 @@
 	{{/* Pin issue */}}
 	{{if or .PinEnabled .Issue.IsPinned}}
 		<form class="tw-mt-1 form-fetch-action single-button-form" method="post" {{if $.NewPinAllowed}}action="{{.Issue.Link}}/pin"{{else}}data-tooltip-content="{{ctx.Locale.Tr "repo.issues.max_pinned"}}"{{end}}>
-			{{$.CsrfTokenHtml}}
 			<button class="fluid ui button {{if not $.NewPinAllowed}}disabled{{end}}">
 				{{if not .Issue.IsPinned}}
 					{{svg "octicon-pin"}}
@@ -46,7 +45,6 @@
 			</div>
 
 			<form class="ui form form-fetch-action" method="post" action="{{.Issue.Link}}{{if .Issue.IsLocked}}/unlock{{else}}/lock{{end}}">
-				{{.CsrfTokenHtml}}
 
 				{{if not .Issue.IsLocked}}
 					<div class="field">
@@ -103,7 +101,6 @@
 			</p>
 		</div>
 		<form action="{{.Issue.Link}}/delete" method="post">
-			{{.CsrfTokenHtml}}
 			{{template "base/modal_actions_confirm" .}}
 		</form>
 	</div>
diff --git a/templates/repo/issue/sidebar/reviewer_list.tmpl b/templates/repo/issue/sidebar/reviewer_list.tmpl
index 2b5ca80fe7a7d..e1fd88b79a2da 100644
--- a/templates/repo/issue/sidebar/reviewer_list.tmpl
+++ b/templates/repo/issue/sidebar/reviewer_list.tmpl
@@ -115,7 +115,6 @@
 				{{ctx.Locale.Tr "repo.issues.dismiss_review_warning"}}
 			</div>
 			<form class="ui form" action="{{$pageMeta.RepoLink}}/issues/dismiss_review" method="post">
-				{{ctx.RootData.CsrfTokenHtml}}
 				<input type="hidden" class="reviewer-id" name="review_id">
 				<div class="field">
 					<label for="issue-sidebar-dismiss-review-message">{{ctx.Locale.Tr "action.review_dismissed_reason"}}</label>
diff --git a/templates/repo/issue/sidebar/stopwatch_timetracker.tmpl b/templates/repo/issue/sidebar/stopwatch_timetracker.tmpl
index 6168b06e170c5..b23024e62bc42 100644
--- a/templates/repo/issue/sidebar/stopwatch_timetracker.tmpl
+++ b/templates/repo/issue/sidebar/stopwatch_timetracker.tmpl
@@ -39,7 +39,6 @@
 				<div class="header">{{ctx.Locale.Tr "repo.issues.time_estimate_set"}}</div>
 				<form method="post" class="ui form form-fetch-action" action="{{.Issue.Link}}/time_estimate">
 					<div class="content">
-						{{$.CsrfTokenHtml}}
 						<input name="time_estimate" placeholder="1h 2m" value="{{TimeEstimateString .Issue.TimeEstimate}}">
 						<div class="actions">
 							<button class="ui cancel button">{{ctx.Locale.Tr "cancel"}}</button>
@@ -54,7 +53,6 @@
 				<div class="header">{{ctx.Locale.Tr "repo.issues.add_time_manually"}}</div>
 				<form method="post" class="ui form form-fetch-action" action="{{.Issue.Link}}/times/add">
 					<div class="content flex-text-block">
-						{{$.CsrfTokenHtml}}
 						<input placeholder='{{ctx.Locale.Tr "repo.issues.add_time_hours"}}' type="number" name="hours">:
 						<input placeholder='{{ctx.Locale.Tr "repo.issues.add_time_minutes"}}' type="number" name="minutes">
 					</div>
diff --git a/templates/repo/issue/view_content.tmpl b/templates/repo/issue/view_content.tmpl
index 56dea5cd4b16b..b7fec4a07d0e0 100644
--- a/templates/repo/issue/view_content.tmpl
+++ b/templates/repo/issue/view_content.tmpl
@@ -81,7 +81,6 @@
 						<div class="ui segment avatar-content-left-arrow">
 							<form class="ui form form-fetch-action" id="comment-form" action="{{$.RepoLink}}/issues/{{.Issue.Index}}/comments" method="post">
 								{{template "repo/issue/comment_tab" .}}
-								{{.CsrfTokenHtml}}
 								<div class="field footer">
 									<div class="flex-text-block tw-justify-end">
 										{{if and (or .HasIssuesOrPullsWritePermission .IsIssuePoster) (not .DisableStatusChange)}}
diff --git a/templates/repo/issue/view_content/pull_merge_box.tmpl b/templates/repo/issue/view_content/pull_merge_box.tmpl
index 159910e36eeba..5e89ef5e69f26 100644
--- a/templates/repo/issue/view_content/pull_merge_box.tmpl
+++ b/templates/repo/issue/view_content/pull_merge_box.tmpl
@@ -384,7 +384,6 @@
 			{{if and $.StillCanManualMerge (not $showGeneralMergeForm)}}
 				<div class="divider"></div>
 				<form class="ui form form-fetch-action" action="{{.Issue.Link}}/merge" method="post">{{/* another similar form is in PullRequestMergeForm.vue*/}}
-					{{.CsrfTokenHtml}}
 					<div class="field">
 						<input type="text" name="merge_commit_id" placeholder="{{ctx.Locale.Tr "repo.pulls.merge_commit_id"}}">
 					</div>
diff --git a/templates/repo/issue/view_content/reference_issue_dialog.tmpl b/templates/repo/issue/view_content/reference_issue_dialog.tmpl
index 0b28bdc811080..723dcdb94b2ce 100644
--- a/templates/repo/issue/view_content/reference_issue_dialog.tmpl
+++ b/templates/repo/issue/view_content/reference_issue_dialog.tmpl
@@ -4,7 +4,6 @@
 	</div>
 	<div class="content">
 		<form class="ui form form-fetch-action" action="{{.Repository.Link}}/issues/new" method="post">
-			{{.CsrfTokenHtml}}
 			<div class="field">
 				<label><strong>{{ctx.Locale.Tr "repository"}}</strong></label>
 				<div class="ui search selection dropdown issue_reference_repository_search ellipsis-text-items">
diff --git a/templates/repo/issue/view_content/update_branch_by_merge.tmpl b/templates/repo/issue/view_content/update_branch_by_merge.tmpl
index 5d959bf0b3c1f..5b306e3cbea1e 100644
--- a/templates/repo/issue/view_content/update_branch_by_merge.tmpl
+++ b/templates/repo/issue/view_content/update_branch_by_merge.tmpl
@@ -26,7 +26,6 @@
 			{{end}}
 			{{if and $.UpdateAllowed (not $.UpdateByRebaseAllowed)}}
 				<form action="{{$.Issue.Link}}/update" method="post" class="ui update-branch-form">
-					{{$.CsrfTokenHtml}}
 					<button class="ui compact button">
 						<span class="ui text">{{ctx.Locale.Tr "repo.pulls.update_branch"}}</span>
 					</button>
diff --git a/templates/repo/migrate/codebase.tmpl b/templates/repo/migrate/codebase.tmpl
index f4de8ff2368af..33fd9a2e8c18e 100644
--- a/templates/repo/migrate/codebase.tmpl
+++ b/templates/repo/migrate/codebase.tmpl
@@ -8,7 +8,6 @@
 			{{template "base/alert" .}}
 			<form class="ui form left-right-form" action="{{.Link}}" method="post">
 				{{template "base/disable_form_autofill"}}
-				{{.CsrfTokenHtml}}
 
 				<input id="service_type" type="hidden" name="service" value="{{.service}}">
 
diff --git a/templates/repo/migrate/codecommit.tmpl b/templates/repo/migrate/codecommit.tmpl
index 275a2aef09e8e..587259ea33ba4 100644
--- a/templates/repo/migrate/codecommit.tmpl
+++ b/templates/repo/migrate/codecommit.tmpl
@@ -8,7 +8,6 @@
 			{{template "base/alert" .}}
 			<form class="ui form left-right-form" action="{{.Link}}" method="post">
 				{{template "base/disable_form_autofill"}}
-				{{.CsrfTokenHtml}}
 
 				<input id="service_type" type="hidden" name="service" value="{{.service}}">
 
diff --git a/templates/repo/migrate/git.tmpl b/templates/repo/migrate/git.tmpl
index 41139d4fd67b5..dc9384d889b99 100644
--- a/templates/repo/migrate/git.tmpl
+++ b/templates/repo/migrate/git.tmpl
@@ -8,7 +8,6 @@
 			{{template "base/alert" .}}
 			<form class="ui form left-right-form" action="{{.Link}}" method="post">
 				{{template "base/disable_form_autofill"}}
-				{{.CsrfTokenHtml}}
 
 				<input id="service_type" type="hidden" name="service" value="{{.service}}">
 
diff --git a/templates/repo/migrate/gitbucket.tmpl b/templates/repo/migrate/gitbucket.tmpl
index c89aa6c744e7a..8a77274a39021 100644
--- a/templates/repo/migrate/gitbucket.tmpl
+++ b/templates/repo/migrate/gitbucket.tmpl
@@ -8,7 +8,6 @@
 			{{template "base/alert" .}}
 			<form class="ui form left-right-form" action="{{.Link}}" method="post">
 				{{template "base/disable_form_autofill"}}
-				{{.CsrfTokenHtml}}
 
 				<input id="service_type" type="hidden" name="service" value="{{.service}}">
 
diff --git a/templates/repo/migrate/gitea.tmpl b/templates/repo/migrate/gitea.tmpl
index 55cf61a77f29f..4b5ce2f76ec33 100644
--- a/templates/repo/migrate/gitea.tmpl
+++ b/templates/repo/migrate/gitea.tmpl
@@ -7,7 +7,6 @@
 		<div class="ui attached segment">
 			{{template "base/alert" .}}
 			<form class="ui form left-right-form" action="{{.Link}}" method="post">
-				{{.CsrfTokenHtml}}
 
 				<input id="service_type" type="hidden" name="service" value="{{.service}}">
 
diff --git a/templates/repo/migrate/github.tmpl b/templates/repo/migrate/github.tmpl
index 86b585b861e80..87a95d3ce4219 100644
--- a/templates/repo/migrate/github.tmpl
+++ b/templates/repo/migrate/github.tmpl
@@ -7,7 +7,6 @@
 		<div class="ui attached segment">
 			{{template "base/alert" .}}
 			<form class="ui form left-right-form" action="{{.Link}}" method="post">
-				{{.CsrfTokenHtml}}
 
 				<input id="service_type" type="hidden" name="service" value="{{.service}}">
 
diff --git a/templates/repo/migrate/gitlab.tmpl b/templates/repo/migrate/gitlab.tmpl
index edd69f0027559..6754ecdfa8191 100644
--- a/templates/repo/migrate/gitlab.tmpl
+++ b/templates/repo/migrate/gitlab.tmpl
@@ -7,7 +7,6 @@
 		<div class="ui attached segment">
 			{{template "base/alert" .}}
 			<form class="ui form left-right-form" action="{{.Link}}" method="post">
-				{{.CsrfTokenHtml}}
 
 				<input id="service_type" type="hidden" name="service" value="{{.service}}">
 
diff --git a/templates/repo/migrate/gogs.tmpl b/templates/repo/migrate/gogs.tmpl
index 9149c43239fde..ab67c956b07b2 100644
--- a/templates/repo/migrate/gogs.tmpl
+++ b/templates/repo/migrate/gogs.tmpl
@@ -7,7 +7,6 @@
 		<div class="ui attached segment">
 			{{template "base/alert" .}}
 			<form class="ui form left-right-form" action="{{.Link}}" method="post">
-				{{.CsrfTokenHtml}}
 
 				<input id="service_type" type="hidden" name="service" value="{{.service}}">
 
diff --git a/templates/repo/migrate/migrating.tmpl b/templates/repo/migrate/migrating.tmpl
index e73e3a97907bf..4e0bc48a5493a 100644
--- a/templates/repo/migrate/migrating.tmpl
+++ b/templates/repo/migrate/migrating.tmpl
@@ -64,7 +64,6 @@
 			{{end}}
 		</div>
 		<form class="ui form" action="{{.Link}}/settings" method="post">
-			{{.CsrfTokenHtml}}
 			<input type="hidden" name="action" value="delete">
 			<div class="field">
 				<label>
@@ -90,7 +89,6 @@
 		{{ctx.Locale.Tr "repo.migrate.cancel_migrating_title"}}
 	</div>
 	<form action="{{.Link}}/settings/migrate/cancel" method="post">
-		{{.CsrfTokenHtml}}
 		<div class="content">
 			{{ctx.Locale.Tr "repo.migrate.cancel_migrating_confirm"}}
 		</div>
diff --git a/templates/repo/migrate/onedev.tmpl b/templates/repo/migrate/onedev.tmpl
index a25ccf943888b..f176a3f758275 100644
--- a/templates/repo/migrate/onedev.tmpl
+++ b/templates/repo/migrate/onedev.tmpl
@@ -8,7 +8,6 @@
 			{{template "base/alert" .}}
 			<form class="ui form left-right-form" action="{{.Link}}" method="post">
 				{{template "base/disable_form_autofill"}}
-				{{.CsrfTokenHtml}}
 
 				<input id="service_type" type="hidden" name="service" value="{{.service}}">
 
diff --git a/templates/repo/pulls/fork.tmpl b/templates/repo/pulls/fork.tmpl
index 0d775ed6a0ed8..6a594dc9fe05b 100644
--- a/templates/repo/pulls/fork.tmpl
+++ b/templates/repo/pulls/fork.tmpl
@@ -7,7 +7,6 @@
 		<div class="ui attached segment">
 			{{template "base/alert" .}}
 			<form class="ui form form-fetch-action left-right-form" action="{{.Link}}" method="post">
-				{{.CsrfTokenHtml}}
 				<div class="inline required field {{if .Err_Owner}}error{{end}}">
 					<label>{{ctx.Locale.Tr "repo.owner"}}</label>
 					<div class="ui selection owner dropdown ellipsis-text-items">
diff --git a/templates/repo/release/new.tmpl b/templates/repo/release/new.tmpl
index 44f496e73d004..6f2a5c59af448 100644
--- a/templates/repo/release/new.tmpl
+++ b/templates/repo/release/new.tmpl
@@ -19,7 +19,6 @@
 			data-tag-helper-new="{{ctx.Locale.Tr "repo.release.tag_helper_new"}}"
 			data-tag-helper-existing="{{ctx.Locale.Tr "repo.release.tag_helper_existing"}}"
 		>
-			{{.CsrfTokenHtml}}
 			<div class="inline field {{if .Err_TagName}}error{{end}}">
 				<label class="tw-block tw-mb-1"><b>{{ctx.Locale.Tr "repo.git_tag"}}</b></label>
 				{{if .PageIsEditRelease}}
diff --git a/templates/repo/settings/actions_general.tmpl b/templates/repo/settings/actions_general.tmpl
index 06b7c8bad5025..24f59bd453480 100644
--- a/templates/repo/settings/actions_general.tmpl
+++ b/templates/repo/settings/actions_general.tmpl
@@ -4,7 +4,6 @@
 	</h4>
 	<div class="ui attached segment">
 		<form class="ui form" action="{{.Link}}/actions_unit" method="post">
-			{{.CsrfTokenHtml}}
 			{{$isActionsEnabled := .Repository.UnitEnabled ctx ctx.Consts.RepoUnitTypeActions}}
 			{{$isActionsGlobalDisabled := ctx.Consts.RepoUnitTypeActions.UnitGlobalDisabled}}
 			<div class="inline field">
@@ -55,7 +54,6 @@
 	{{end}}
 	<div class="ui bottom attached segment">
 		<form class="ui form form-fetch-action" action="{{.Link}}/collaborative_owner/add" method="post">
-			{{.CsrfTokenHtml}}
 			<div id="search-user-box" class="ui search input tw-align-middle" data-include-orgs="true">
 				<input class="prompt" name="collaborative_owner" placeholder="{{ctx.Locale.Tr "search.user_kind"}}" autocomplete="off" autofocus required>
 			</div>
diff --git a/templates/repo/settings/branches.tmpl b/templates/repo/settings/branches.tmpl
index e8e7a3f1c2a17..37ebab2a72e79 100644
--- a/templates/repo/settings/branches.tmpl
+++ b/templates/repo/settings/branches.tmpl
@@ -13,7 +13,6 @@
 					{{ctx.Locale.Tr "repo.settings.default_branch_desc"}}
 				</p>
 				<form class="tw-flex" action="{{.Link}}" method="post">
-					{{.CsrfTokenHtml}}
 					<input type="hidden" name="action" value="default_branch">
 					<div class="ui dropdown selection search tw-flex-1 tw-mr-2 tw-max-w-96">
 						{{svg "octicon-triangle-down" 14 "dropdown icon"}}
diff --git a/templates/repo/settings/collaboration.tmpl b/templates/repo/settings/collaboration.tmpl
index 62903e1cfb70c..e142283b5555f 100644
--- a/templates/repo/settings/collaboration.tmpl
+++ b/templates/repo/settings/collaboration.tmpl
@@ -40,7 +40,6 @@
 		{{end}}
 		<div class="ui bottom attached segment">
 			<form class="ui form" id="repo-collab-form" action="{{.Link}}" method="post">
-				{{.CsrfTokenHtml}}
 				<div id="search-user-box" class="ui search input tw-align-middle">
 					<input class="prompt" name="collaborator" placeholder="{{ctx.Locale.Tr "search.user_kind"}}" autocomplete="off" autofocus required>
 				</div>
@@ -108,7 +107,6 @@
 			<div class="ui bottom attached segment">
 				{{if $allowedToChangeTeams}}
 					<form class="ui form" id="repo-collab-team-form" action="{{.Link}}/team" method="post">
-						{{.CsrfTokenHtml}}
 						<div id="search-team-box" class="ui search input tw-align-middle" data-org-name="{{.OrgName}}">
 							<input class="prompt" name="team" placeholder="{{ctx.Locale.Tr "search.team_kind"}}" autocomplete="off" required>
 						</div>
diff --git a/templates/repo/settings/deploy_keys.tmpl b/templates/repo/settings/deploy_keys.tmpl
index b82d584b22cae..5975b198f3091 100644
--- a/templates/repo/settings/deploy_keys.tmpl
+++ b/templates/repo/settings/deploy_keys.tmpl
@@ -13,7 +13,6 @@
 		<div class="ui attached segment">
 			<div class="{{if not .HasError}}tw-hidden{{end}} tw-mb-4" id="add-deploy-key-panel">
 				<form class="ui form" action="{{.Link}}" method="post">
-					{{.CsrfTokenHtml}}
 					<div class="field">
 						{{ctx.Locale.Tr "repo.settings.deploy_key_desc"}}
 					</div>
diff --git a/templates/repo/settings/githook_edit.tmpl b/templates/repo/settings/githook_edit.tmpl
index e20f51b922583..40f2907cf3ae6 100644
--- a/templates/repo/settings/githook_edit.tmpl
+++ b/templates/repo/settings/githook_edit.tmpl
@@ -6,7 +6,6 @@
 		<div class="ui attached segment">
 			<p>{{ctx.Locale.Tr "repo.settings.githook_edit_desc"}}</p>
 			<form class="ui form" action="{{.Link}}" method="post">
-				{{.CsrfTokenHtml}}
 				{{with .Hook}}
 					<div class="inline field">
 						<label>{{ctx.Locale.Tr "repo.settings.githook_name"}}</label>
diff --git a/templates/repo/settings/lfs.tmpl b/templates/repo/settings/lfs.tmpl
index 4b46aeed9547a..a3957ffd533ab 100644
--- a/templates/repo/settings/lfs.tmpl
+++ b/templates/repo/settings/lfs.tmpl
@@ -43,7 +43,6 @@
 						{{ctx.Locale.Tr "repo.settings.lfs_delete_warning"}}
 					</p>
 					<form class="ui form" action="{{$.Link}}/delete/{{.Oid}}" method="post">
-						{{$.CsrfTokenHtml}}
 						{{template "base/modal_actions_confirm"}}
 					</form>
 				</div>
diff --git a/templates/repo/settings/lfs_locks.tmpl b/templates/repo/settings/lfs_locks.tmpl
index dfbae0633ef60..55bb2ce1d344c 100644
--- a/templates/repo/settings/lfs_locks.tmpl
+++ b/templates/repo/settings/lfs_locks.tmpl
@@ -6,7 +6,6 @@
 			</h4>
 			<div class="ui attached segment">
 				<form class="ui form ignore-dirty" method="post">
-					{{$.CsrfTokenHtml}}
 					<div class="ui fluid action input">
 						<input name="path" value="" placeholder="{{ctx.Locale.Tr "repo.settings.lfs_lock_path"}}" autofocus>
 						<button class="ui primary button">{{ctx.Locale.Tr "repo.settings.lfs_lock"}}</button>
@@ -38,7 +37,6 @@
 							<td>{{DateUtils.TimeSince .Created}}</td>
 							<td class="tw-text-right">
 								<form action="{{$.LFSFilesLink}}/locks/{{$lock.ID}}/unlock" method="post">
-									{{$.CsrfTokenHtml}}
 									<button class="ui primary button"><span class="btn-octicon">{{svg "octicon-lock"}}</span>{{ctx.Locale.Tr "repo.settings.lfs_force_unlock"}}</button>
 								</form>
 							</td>
diff --git a/templates/repo/settings/lfs_pointers.tmpl b/templates/repo/settings/lfs_pointers.tmpl
index 4cfc0fc6730a0..2138aadc53c72 100644
--- a/templates/repo/settings/lfs_pointers.tmpl
+++ b/templates/repo/settings/lfs_pointers.tmpl
@@ -5,7 +5,6 @@
 			{{if gt .NumAssociatable 0}}
 				<div class="ui right">
 					<form class="ui form" method="post" action="{{$.Link}}/associate">
-						{{.CsrfTokenHtml}}
 						{{range .Pointers}}
 							{{if .Associatable}}
 								<input type="hidden" name="oid" value="{{.Oid}} {{.Size}}">
diff --git a/templates/repo/settings/options.tmpl b/templates/repo/settings/options.tmpl
index b4680431b8acf..c7b3c31b0f1f5 100644
--- a/templates/repo/settings/options.tmpl
+++ b/templates/repo/settings/options.tmpl
@@ -6,7 +6,6 @@
 		<div class="ui attached segment">
 			<form class="ui form" action="{{.Link}}" method="post">
 				{{template "base/disable_form_autofill"}}
-				{{.CsrfTokenHtml}}
 				<input type="hidden" name="action" value="update">
 				<div class="required field {{if .Err_RepoName}}error{{end}}">
 					<label>{{ctx.Locale.Tr "repo.repo_name"}}</label>
@@ -38,7 +37,6 @@
 
 			<div class="divider"></div>
 			<form class="ui form" action="{{.Link}}/avatar" method="post" enctype="multipart/form-data">
-				{{.CsrfTokenHtml}}
 				<div class="inline field">
 					{{template "shared/avatar_upload_crop" dict "LabelText" (ctx.Locale.Tr "settings.choose_new_avatar")}}
 				</div>
@@ -119,7 +117,6 @@
 								<td>{{DateUtils.FullTime .PullMirror.UpdatedUnix}}</td>
 								<td class="tw-text-right">
 									<form method="post" class="tw-inline-block">
-										{{.CsrfTokenHtml}}
 										<input type="hidden" name="action" value="mirror-sync">
 										<button class="ui primary tiny button inline">{{ctx.Locale.Tr "repo.settings.sync_mirror"}}</button>
 									</form>
@@ -129,7 +126,6 @@
 								<td colspan="4">
 									<form class="ui form" method="post">
 										{{template "base/disable_form_autofill"}}
-										{{.CsrfTokenHtml}}
 										<input type="hidden" name="action" value="mirror">
 										<div class="inline field {{if .Err_EnablePrune}}error{{end}}">
 											<label>{{ctx.Locale.Tr "repo.mirror_prune"}}</label>
@@ -226,13 +222,11 @@
 										{{svg "octicon-pencil" 14}}
 									</button>
 									<form method="post" class="tw-inline-block">
-										{{$.CsrfTokenHtml}}
 										<input type="hidden" name="action" value="push-mirror-sync">
 										<input type="hidden" name="push_mirror_id" value="{{.ID}}">
 										<button class="ui primary tiny button" data-tooltip-content="{{ctx.Locale.Tr "repo.settings.sync_mirror"}}">{{svg "octicon-sync" 14}}</button>
 									</form>
 									<form method="post" class="tw-inline-block">
-										{{$.CsrfTokenHtml}}
 										<input type="hidden" name="action" value="push-mirror-remove">
 										<input type="hidden" name="push_mirror_id" value="{{.ID}}">
 										<button class="ui basic red tiny button" data-tooltip-content="{{ctx.Locale.Tr "remove"}}">{{svg "octicon-trash" 14}}</button>
@@ -249,7 +243,6 @@
 									<td colspan="4">
 										<form class="ui form" method="post">
 											{{template "base/disable_form_autofill"}}
-											{{.CsrfTokenHtml}}
 											<input type="hidden" name="action" value="push-mirror-add">
 											<div class="field {{if .Err_PushMirrorAddress}}error{{end}}">
 												<label for="push_mirror_address">{{ctx.Locale.Tr "repo.settings.mirror_settings.push_mirror.remote_url"}}</label>
@@ -299,7 +292,6 @@
 		</h4>
 		<div class="ui attached segment">
 			<form class="ui form" method="post">
-				{{.CsrfTokenHtml}}
 				<input type="hidden" name="action" value="advanced">
 
 				{{$isCodeEnabled := .Repository.UnitEnabled ctx ctx.Consts.RepoUnitTypeCode}}
@@ -647,7 +639,6 @@
 		</h4>
 		<div class="ui attached segment">
 			<form class="ui form" method="post">
-				{{.CsrfTokenHtml}}
 				<input type="hidden" name="action" value="signing">
 				<div class="field">
 					<label>{{ctx.Locale.Tr "repo.settings.trust_model"}}</label><br>
@@ -694,7 +685,6 @@
 		</h4>
 		<div class="ui attached segment">
 			<form class="ui form" method="post">
-				{{.CsrfTokenHtml}}
 				<input type="hidden" name="action" value="admin">
 				<div class="field">
 					<div class="ui checkbox">
@@ -710,7 +700,6 @@
 
 			<div class="divider"></div>
 			<form class="ui form" method="post">
-				{{.CsrfTokenHtml}}
 				<input type="hidden" name="action" value="admin_index">
 				{{if .IsRepoIndexerEnabled}}
 					<h4 class="ui header">{{ctx.Locale.Tr "repo.settings.admin_code_indexer"}}</h4>
@@ -815,7 +804,6 @@
 					<div class="flex-item-trailing">
 						{{if .RepoTransfer}}
 							<form class="ui form" action="{{.Link}}" method="post">
-								{{.CsrfTokenHtml}}
 								<input type="hidden" name="action" value="cancel_transfer">
 								<button class="ui red button">{{ctx.Locale.Tr "repo.settings.transfer_abort"}}</button>
 							</form>
@@ -883,7 +871,6 @@
 					{{ctx.Locale.Tr "repo.settings.convert_notices_1"}}
 				</div>
 				<form class="ui form" action="{{.Link}}" method="post">
-					{{.CsrfTokenHtml}}
 					<input type="hidden" name="action" value="convert">
 					<div class="field">
 						<label>
@@ -914,7 +901,6 @@
 					{{ctx.Locale.Tr "repo.settings.convert_fork_notices_1"}}
 				</div>
 				<form class="ui form" action="{{.Link}}" method="post">
-					{{.CsrfTokenHtml}}
 					<input type="hidden" name="action" value="convert_fork">
 					<div class="field">
 						<label>
@@ -947,7 +933,6 @@
 				{{ctx.Locale.Tr "repo.settings.transfer_notices_4"}}
 			</div>
 			<form class="ui form" action="{{.Link}}" method="post">
-				{{.CsrfTokenHtml}}
 				<input type="hidden" name="action" value="transfer">
 				<div class="field">
 					<label>
@@ -985,7 +970,6 @@
 				{{end}}
 			</div>
 			<form class="ui form" action="{{.Link}}" method="post">
-				{{.CsrfTokenHtml}}
 				<input type="hidden" name="action" value="delete">
 				<div class="field">
 					<label>
@@ -1026,7 +1010,6 @@
 					{{end}}
 			</div>
 			<form action="{{.Link}}" method="post">
-				{{.CsrfTokenHtml}}
 				<input type="hidden" name="action" value="visibility">
 				<input type="hidden" name="repo_id" value="{{.Repository.ID}}">
 				{{template "base/modal_actions_confirm" .}}
@@ -1045,7 +1028,6 @@
 				{{ctx.Locale.Tr "repo.settings.wiki_delete_notices_1" .Repository.Name}}
 			</div>
 			<form class="ui form" action="{{.Link}}" method="post">
-				{{.CsrfTokenHtml}}
 				<input type="hidden" name="action" value="delete-wiki">
 				<div class="field">
 					<label>
@@ -1086,7 +1068,6 @@
 				</p>
 			</div>
 			<form action="{{.Link}}" method="post">
-				{{.CsrfTokenHtml}}
 				<input type="hidden" name="action" value="{{if .Repository.IsArchived}}unarchive{{else}}archive{{end}}">
 				<input type="hidden" name="repo_id" value="{{.Repository.ID}}">
 				{{template "base/modal_actions_confirm" .}}
diff --git a/templates/repo/settings/protected_branch.tmpl b/templates/repo/settings/protected_branch.tmpl
index 3c311c18c39ee..daa1d5f3f913b 100644
--- a/templates/repo/settings/protected_branch.tmpl
+++ b/templates/repo/settings/protected_branch.tmpl
@@ -27,7 +27,6 @@
 					<p class="help tw-ml-0">{{ctx.Locale.Tr "repo.settings.protect_unprotected_file_patterns_desc" "https://pkg.go.dev/github.com/gobwas/glob#Compile" "github.com/gobwas/glob"}}</p>
 				</div>
 
-				{{.CsrfTokenHtml}}
 				<h5 class="ui dividing header">{{ctx.Locale.Tr "repo.settings.event_push"}}</h5>
 				<div class="field">
 					<div class="ui radio checkbox">
diff --git a/templates/repo/settings/public_access.tmpl b/templates/repo/settings/public_access.tmpl
index c1c198bcce5f2..cfd9bf5cb17f0 100644
--- a/templates/repo/settings/public_access.tmpl
+++ b/templates/repo/settings/public_access.tmpl
@@ -12,7 +12,6 @@
 		{{$paEveryoneRead := "everyone-read"}}
 		{{$paEveryoneWrite := "everyone-write"}}
 		<form class="ui form" method="post">
-			{{.CsrfTokenHtml}}
 			<table class="ui table unstackable tw-my-2">
 				<thead>
 					<tr>
diff --git a/templates/repo/settings/push_mirror_sync_modal.tmpl b/templates/repo/settings/push_mirror_sync_modal.tmpl
index 3bd624fab799c..0ae7393ca9003 100644
--- a/templates/repo/settings/push_mirror_sync_modal.tmpl
+++ b/templates/repo/settings/push_mirror_sync_modal.tmpl
@@ -3,7 +3,6 @@
 		{{ctx.Locale.Tr "repo.settings.mirror_settings.push_mirror.edit_sync_time"}}
 	</div>
 	<form class="content ui form ignore-dirty" method="post">
-		{{.CsrfTokenHtml}}
 		<input type="hidden" name="action" value="push-mirror-update">
 		<input type="hidden" name="push_mirror_id" id="push-mirror-edit-id">
 		<div class="field">
diff --git a/templates/repo/settings/tags.tmpl b/templates/repo/settings/tags.tmpl
index 12ec9102b75af..af03b3598f500 100644
--- a/templates/repo/settings/tags.tmpl
+++ b/templates/repo/settings/tags.tmpl
@@ -14,7 +14,6 @@
 					<div class="sixteen wide column">
 						<div class="ui segment">
 							<form class="ui form" action="{{.Link}}" method="post">
-								{{.CsrfTokenHtml}}
 								<div class="field">
 									<label>{{ctx.Locale.Tr "repo.settings.tags.protection.pattern"}}</label>
 									<div id="search-tag-box" class="ui search">
@@ -107,7 +106,6 @@
 										<td class="tw-text-right">
 											<a class="ui tiny primary button" href="{{$.RepoLink}}/settings/tags/{{.ID}}">{{ctx.Locale.Tr "edit"}}</a>
 											<form class="tw-inline-block" action="{{$.RepoLink}}/settings/tags/delete" method="post">
-												{{$.CsrfTokenHtml}}
 												<input type="hidden" name="id" value="{{.ID}}">
 												<button class="ui tiny red button">{{ctx.Locale.Tr "remove"}}</button>
 											</form>
diff --git a/templates/repo/settings/webhook/dingtalk.tmpl b/templates/repo/settings/webhook/dingtalk.tmpl
index dd208cde1772c..ef96972a0af9f 100644
--- a/templates/repo/settings/webhook/dingtalk.tmpl
+++ b/templates/repo/settings/webhook/dingtalk.tmpl
@@ -1,7 +1,6 @@
 {{if eq .HookType "dingtalk"}}
 	<p>{{ctx.Locale.Tr "repo.settings.add_web_hook_desc" "https://dingtalk.com" (ctx.Locale.Tr "repo.settings.web_hook_name_dingtalk")}}</p>
 	<form class="ui form" action="{{.BaseLink}}/dingtalk/{{or .Webhook.ID "new"}}" method="post">
-		{{.CsrfTokenHtml}}
 		<div class="required field {{if .Err_PayloadURL}}error{{end}}">
 			<label for="payload_url">{{ctx.Locale.Tr "repo.settings.payload_url"}}</label>
 			<input id="payload_url" name="payload_url" type="url" value="{{.Webhook.URL}}" autofocus required>
diff --git a/templates/repo/settings/webhook/discord.tmpl b/templates/repo/settings/webhook/discord.tmpl
index fa66249fa522d..9dca83a4972f5 100644
--- a/templates/repo/settings/webhook/discord.tmpl
+++ b/templates/repo/settings/webhook/discord.tmpl
@@ -1,7 +1,6 @@
 {{if eq .HookType "discord"}}
 	<p>{{ctx.Locale.Tr "repo.settings.add_web_hook_desc" "https://discord.com" (ctx.Locale.Tr "repo.settings.web_hook_name_discord")}}</p>
 	<form class="ui form" action="{{.BaseLink}}/discord/{{or .Webhook.ID "new"}}" method="post">
-		{{.CsrfTokenHtml}}
 		<div class="required field {{if .Err_PayloadURL}}error{{end}}">
 			<label for="payload_url">{{ctx.Locale.Tr "repo.settings.payload_url"}}</label>
 			<input id="payload_url" name="payload_url" type="url" value="{{.Webhook.URL}}" autofocus required>
diff --git a/templates/repo/settings/webhook/feishu.tmpl b/templates/repo/settings/webhook/feishu.tmpl
index 13bd0d92a18a7..84ffff364f63c 100644
--- a/templates/repo/settings/webhook/feishu.tmpl
+++ b/templates/repo/settings/webhook/feishu.tmpl
@@ -4,7 +4,6 @@
 		{{ctx.Locale.Tr "repo.settings.add_web_hook_desc" "https://larksuite.com" (ctx.Locale.Tr "repo.settings.web_hook_name_larksuite")}}
 	</p>
 	<form class="ui form" action="{{.BaseLink}}/feishu/{{or .Webhook.ID "new"}}" method="post">
-		{{.CsrfTokenHtml}}
 		<div class="required field {{if .Err_PayloadURL}}error{{end}}">
 			<label for="payload_url">{{ctx.Locale.Tr "repo.settings.payload_url"}}</label>
 			<input id="payload_url" name="payload_url" type="url" value="{{.Webhook.URL}}" autofocus required>
diff --git a/templates/repo/settings/webhook/gitea.tmpl b/templates/repo/settings/webhook/gitea.tmpl
index 30f14d609bad3..9f5f86d9eed94 100644
--- a/templates/repo/settings/webhook/gitea.tmpl
+++ b/templates/repo/settings/webhook/gitea.tmpl
@@ -2,7 +2,6 @@
 	<p>{{ctx.Locale.Tr "repo.settings.add_web_hook_desc" "https://docs.gitea.com/usage/webhooks" (ctx.Locale.Tr "repo.settings.web_hook_name_gitea")}}</p>
 	<form class="ui form" action="{{.BaseLink}}/gitea/{{or .Webhook.ID "new"}}" method="post">
 		{{template "base/disable_form_autofill"}}
-		{{.CsrfTokenHtml}}
 		<div class="required field {{if .Err_PayloadURL}}error{{end}}">
 			<label for="payload_url">{{ctx.Locale.Tr "repo.settings.payload_url"}}</label>
 			<input id="payload_url" name="payload_url" type="url" value="{{.Webhook.URL}}" autofocus required>
diff --git a/templates/repo/settings/webhook/gogs.tmpl b/templates/repo/settings/webhook/gogs.tmpl
index c0e054602ab08..f08114f6541e4 100644
--- a/templates/repo/settings/webhook/gogs.tmpl
+++ b/templates/repo/settings/webhook/gogs.tmpl
@@ -2,7 +2,6 @@
 	<p>{{ctx.Locale.Tr "repo.settings.add_web_hook_desc" "https://docs.gitea.com/usage/webhooks" (ctx.Locale.Tr "repo.settings.web_hook_name_gogs")}}</p>
 	<form class="ui form" action="{{.BaseLink}}/gogs/{{or .Webhook.ID "new"}}" method="post">
 		{{template "base/disable_form_autofill"}}
-		{{.CsrfTokenHtml}}
 		<div class="required field {{if .Err_PayloadURL}}error{{end}}">
 			<label for="payload_url">{{ctx.Locale.Tr "repo.settings.payload_url"}}</label>
 			<input id="payload_url" name="payload_url" type="url" value="{{.Webhook.URL}}" autofocus required>
diff --git a/templates/repo/settings/webhook/history.tmpl b/templates/repo/settings/webhook/history.tmpl
index d27c1fb8b12cd..fb23c7634ff0d 100644
--- a/templates/repo/settings/webhook/history.tmpl
+++ b/templates/repo/settings/webhook/history.tmpl
@@ -52,7 +52,6 @@
 							{{if or $.Permission.IsAdmin $.IsOrganizationOwner $.PageIsAdmin $.PageIsUserSettings}}
 							<div class="right menu">
 								<form class="tw-py-2" action="{{$.Link}}/replay/{{.UUID}}" method="post">
-									{{$.CsrfTokenHtml}}
 									<span data-tooltip-content="{{if $.Webhook.IsActive}}{{ctx.Locale.Tr "repo.settings.webhook.replay.description"}}{{else}}{{ctx.Locale.Tr "repo.settings.webhook.replay.description_disabled"}}{{end}}">
 										<button class="ui tiny button tw-mr-0{{if not $.Webhook.IsActive}} disabled{{end}}">{{svg "octicon-sync"}}</button>
 									</span>
diff --git a/templates/repo/settings/webhook/matrix.tmpl b/templates/repo/settings/webhook/matrix.tmpl
index e0aad2d807e9d..60af8427591ea 100644
--- a/templates/repo/settings/webhook/matrix.tmpl
+++ b/templates/repo/settings/webhook/matrix.tmpl
@@ -1,7 +1,6 @@
 {{if eq .HookType "matrix"}}
 	<p>{{ctx.Locale.Tr "repo.settings.add_web_hook_desc" "https://matrix.org/" (ctx.Locale.Tr "repo.settings.web_hook_name_matrix")}}</p>
 	<form class="ui form" action="{{.BaseLink}}/matrix/{{or .Webhook.ID "new"}}" method="post">
-		{{.CsrfTokenHtml}}
 		<div class="required field {{if .Err_HomeserverURL}}error{{end}}">
 			<label for="homeserver_url">{{ctx.Locale.Tr "repo.settings.matrix.homeserver_url"}}</label>
 			<input id="homeserver_url" name="homeserver_url" type="url" value="{{.MatrixHook.HomeserverURL}}" autofocus required>
diff --git a/templates/repo/settings/webhook/msteams.tmpl b/templates/repo/settings/webhook/msteams.tmpl
index 17718a1064efe..8aa9980388093 100644
--- a/templates/repo/settings/webhook/msteams.tmpl
+++ b/templates/repo/settings/webhook/msteams.tmpl
@@ -1,7 +1,6 @@
 {{if eq .HookType "msteams"}}
 	<p>{{ctx.Locale.Tr "repo.settings.add_web_hook_desc" "https://teams.microsoft.com" (ctx.Locale.Tr "repo.settings.web_hook_name_msteams")}}</p>
 	<form class="ui form" action="{{.BaseLink}}/msteams/{{or .Webhook.ID "new"}}" method="post">
-		{{.CsrfTokenHtml}}
 		<div class="required field {{if .Err_PayloadURL}}error{{end}}">
 			<label for="payload_url">{{ctx.Locale.Tr "repo.settings.payload_url"}}</label>
 			<input id="payload_url" name="payload_url" type="url" value="{{.Webhook.URL}}" autofocus required>
diff --git a/templates/repo/settings/webhook/packagist.tmpl b/templates/repo/settings/webhook/packagist.tmpl
index c813e7c2af6ea..9dac201b9ef17 100644
--- a/templates/repo/settings/webhook/packagist.tmpl
+++ b/templates/repo/settings/webhook/packagist.tmpl
@@ -1,7 +1,6 @@
 {{if eq .HookType "packagist"}}
 	<p>{{ctx.Locale.Tr "repo.settings.add_web_hook_desc" "https://packagist.org" (ctx.Locale.Tr "repo.settings.web_hook_name_packagist")}}</p>
 	<form class="ui form" action="{{.BaseLink}}/packagist/{{or .Webhook.ID "new"}}" method="post">
-		{{.CsrfTokenHtml}}
 		<div class="required field {{if .Err_Username}}error{{end}}">
 			<label for="username">{{ctx.Locale.Tr "repo.settings.packagist_username"}}</label>
 			<input id="username" name="username" value="{{.PackagistHook.Username}}" placeholder="Gitea" autofocus required>
diff --git a/templates/repo/settings/webhook/slack.tmpl b/templates/repo/settings/webhook/slack.tmpl
index 519d6afa1ad81..83f41af24b478 100644
--- a/templates/repo/settings/webhook/slack.tmpl
+++ b/templates/repo/settings/webhook/slack.tmpl
@@ -1,7 +1,6 @@
 {{if eq .HookType "slack"}}
 	<p>{{ctx.Locale.Tr "repo.settings.add_web_hook_desc" "https://slack.com" (ctx.Locale.Tr "repo.settings.web_hook_name_slack")}}</p>
 	<form class="ui form" action="{{.BaseLink}}/slack/{{or .Webhook.ID "new"}}" method="post">
-		{{.CsrfTokenHtml}}
 		<div class="required field {{if .Err_PayloadURL}}error{{end}}">
 			<label for="payload_url">{{ctx.Locale.Tr "repo.settings.payload_url"}}</label>
 			<input id="payload_url" name="payload_url" type="url" value="{{.Webhook.URL}}" autofocus required>
diff --git a/templates/repo/settings/webhook/telegram.tmpl b/templates/repo/settings/webhook/telegram.tmpl
index 5ab89b72cc0e6..71aac94bc2629 100644
--- a/templates/repo/settings/webhook/telegram.tmpl
+++ b/templates/repo/settings/webhook/telegram.tmpl
@@ -1,7 +1,6 @@
 {{if eq .HookType "telegram"}}
 	<p>{{ctx.Locale.Tr "repo.settings.add_web_hook_desc" "https://core.telegram.org/bots" (ctx.Locale.Tr "repo.settings.web_hook_name_telegram")}}</p>
 	<form class="ui form" action="{{.BaseLink}}/telegram/{{or .Webhook.ID "new"}}" method="post">
-		{{.CsrfTokenHtml}}
 		<div class="required field {{if .Err_BotToken}}error{{end}}">
 			<label for="bot_token">{{ctx.Locale.Tr "repo.settings.bot_token"}}</label>
 			<input id="bot_token" name="bot_token" type="text" value="{{.TelegramHook.BotToken}}" autofocus required>
diff --git a/templates/repo/settings/webhook/wechatwork.tmpl b/templates/repo/settings/webhook/wechatwork.tmpl
index cbc29b4610129..617a6ce39a156 100644
--- a/templates/repo/settings/webhook/wechatwork.tmpl
+++ b/templates/repo/settings/webhook/wechatwork.tmpl
@@ -1,7 +1,6 @@
 {{if eq .HookType "wechatwork"}}
 	<p>{{ctx.Locale.Tr "repo.settings.add_web_hook_desc" "https://work.weixin.qq.com" (ctx.Locale.Tr "repo.settings.web_hook_name_wechatwork")}}</p>
 	<form class="ui form" action="{{.BaseLink}}/wechatwork/{{or .Webhook.ID "new"}}" method="post">
-		{{.CsrfTokenHtml}}
 		<div class="required field {{if .Err_PayloadURL}}error{{end}}">
 			<label for="payload_url">{{ctx.Locale.Tr "repo.settings.payload_url"}}</label>
 			<input id="payload_url" name="payload_url" type="url" value="{{.Webhook.URL}}" autofocus required>
diff --git a/templates/repo/wiki/new.tmpl b/templates/repo/wiki/new.tmpl
index 12f0983904670..679e993ec7e90 100644
--- a/templates/repo/wiki/new.tmpl
+++ b/templates/repo/wiki/new.tmpl
@@ -10,7 +10,6 @@
 			{{end}}
 		</div>
 		<form class="ui form" action="?action={{if .PageIsWikiEdit}}_edit{{else}}_new{{end}}" method="post">
-			{{.CsrfTokenHtml}}
 			<div class="field {{if .Err_Title}}error{{end}}">
 				<input name="title" value="{{.title}}" aria-label="{{ctx.Locale.Tr "repo.wiki.page_title"}}" placeholder="{{ctx.Locale.Tr "repo.wiki.page_title"}}" autofocus required>
 			</div>
diff --git a/templates/shared/actions/runner_edit.tmpl b/templates/shared/actions/runner_edit.tmpl
index d452d69f7a227..8c434971ad613 100644
--- a/templates/shared/actions/runner_edit.tmpl
+++ b/templates/shared/actions/runner_edit.tmpl
@@ -5,7 +5,6 @@
 	<div class="ui attached segment">
 		<form class="ui form" method="post">
 			{{template "base/disable_form_autofill"}}
-			{{.CsrfTokenHtml}}
 			<div class="runner-basic-info">
 				<div class="field tw-inline-block tw-mr-4">
 					<label>{{ctx.Locale.Tr "actions.runners.status"}}</label>
diff --git a/templates/shared/secrets/add_list.tmpl b/templates/shared/secrets/add_list.tmpl
index 44305e9502d4a..88f46c6854d51 100644
--- a/templates/shared/secrets/add_list.tmpl
+++ b/templates/shared/secrets/add_list.tmpl
@@ -70,7 +70,6 @@
 	<div class="header"></div>
 	<form class="ui form form-fetch-action" method="post">
 		<div class="content">
-			{{.CsrfTokenHtml}}
 			<div class="field">
 				{{ctx.Locale.Tr "secrets.description"}}
 			</div>
diff --git a/templates/shared/user/block_user_dialog.tmpl b/templates/shared/user/block_user_dialog.tmpl
index e1fa93994568b..64fd25bcd4a78 100644
--- a/templates/shared/user/block_user_dialog.tmpl
+++ b/templates/shared/user/block_user_dialog.tmpl
@@ -3,7 +3,6 @@
 	<div class="content">
 		<div class="ui warning message">{{ctx.Locale.Tr "user.block.info"}}</div>
 		<form class="ui form modal-form" method="post">
-			{{.CsrfTokenHtml}}
 			<input type="hidden" name="action" value="block" />
 			<input type="hidden" name="blockee" class="modal-blockee" />
 			<div class="field">
diff --git a/templates/shared/user/blocked_users.tmpl b/templates/shared/user/blocked_users.tmpl
index c0b1a8a7a4f4c..7a6a5a3afa452 100644
--- a/templates/shared/user/blocked_users.tmpl
+++ b/templates/shared/user/blocked_users.tmpl
@@ -14,7 +14,6 @@
 </div>
 <div class="ui segment">
 	<form class="ui form ignore-dirty" action="{{$.Link}}" method="post">
-		{{.CsrfTokenHtml}}
 		<input type="hidden" name="action" value="block" />
 		<div id="search-user-box" class="field ui fluid search input">
 			<input class="prompt tw-mr-2" name="blockee" placeholder="{{ctx.Locale.Tr "search.user_kind"}}" autocomplete="off" required>
@@ -50,7 +49,6 @@
 				<div class="flex-item-trailing">
 					<button class="ui compact mini button show-modal" data-modal="#block-user-note-modal" data-modal-modal-blockee="{{.Blockee.Name}}" data-modal-modal-note="{{.Note}}">{{ctx.Locale.Tr "user.block.note.edit"}}</button>
 					<form action="{{$.Link}}" method="post">
-						{{$.CsrfTokenHtml}}
 						<input type="hidden" name="action" value="unblock" />
 						<input type="hidden" name="blockee" value="{{.Blockee.Name}}" />
 						<button class="ui compact mini button">{{ctx.Locale.Tr "user.block.unblock"}}</button>
@@ -66,7 +64,6 @@
 	<div class="header">{{ctx.Locale.Tr "user.block.note.edit"}}</div>
 	<div class="content">
 		<form class="ui form" action="{{$.Link}}" method="post">
-			{{.CsrfTokenHtml}}
 			<input type="hidden" name="action" value="note" />
 			<input type="hidden" name="blockee" class="modal-blockee" />
 			<div class="field">
diff --git a/templates/shared/variables/variable_list.tmpl b/templates/shared/variables/variable_list.tmpl
index 2edca431c1497..e3a0b3972a9f2 100644
--- a/templates/shared/variables/variable_list.tmpl
+++ b/templates/shared/variables/variable_list.tmpl
@@ -68,7 +68,6 @@
 	<div class="header"></div>
 	<form class="ui form form-fetch-action" method="post">
 		<div class="content">
-			{{.CsrfTokenHtml}}
 			<div class="field">
 				{{ctx.Locale.Tr "actions.variables.description"}}
 			</div>
diff --git a/templates/user/auth/activate.tmpl b/templates/user/auth/activate.tmpl
index 7f8ff0eb5a463..4a592f259be1f 100644
--- a/templates/user/auth/activate.tmpl
+++ b/templates/user/auth/activate.tmpl
@@ -3,7 +3,6 @@
 	<div class="ui middle very relaxed page grid">
 		<div class="column">
 			<form class="ui form ignore-dirty tw-max-w-2xl tw-m-auto" action="{{AppSubUrl}}/user/activate" method="post">
-				{{.CsrfTokenHtml}}
 				<h2 class="ui top attached header">
 					{{ctx.Locale.Tr "auth.active_your_account"}}
 				</h2>
diff --git a/templates/user/auth/change_passwd_inner.tmpl b/templates/user/auth/change_passwd_inner.tmpl
index 01bbf500e5c6a..3c87790e455d6 100644
--- a/templates/user/auth/change_passwd_inner.tmpl
+++ b/templates/user/auth/change_passwd_inner.tmpl
@@ -6,7 +6,6 @@
 		</h4>
 		<div class="ui attached segment">
 			<form class="ui form tw-max-w-2xl tw-m-auto" action="{{.ChangePasscodeLink}}" method="post">
-			{{.CsrfTokenHtml}}
 			<div class="required field {{if and (.Err_Password) (or (not .LinkAccountMode) (and .LinkAccountMode .LinkAccountModeSignIn))}}error{{end}}">
 				<label for="password">{{ctx.Locale.Tr "password"}}</label>
 				<input id="password" name="password" type="password" value="{{.password}}" autocomplete="new-password" required>
diff --git a/templates/user/auth/forgot_passwd.tmpl b/templates/user/auth/forgot_passwd.tmpl
index 55bcf63018393..f55d3cae51bda 100644
--- a/templates/user/auth/forgot_passwd.tmpl
+++ b/templates/user/auth/forgot_passwd.tmpl
@@ -3,7 +3,6 @@
 	<div class="ui middle very relaxed page grid">
 		<div class="column">
 			<form class="ui form ignore-dirty" action="{{.Link}}" method="post">
-				{{.CsrfTokenHtml}}
 				<h2 class="ui top attached header">
 					{{ctx.Locale.Tr "auth.forgot_password_title"}}
 				</h2>
diff --git a/templates/user/auth/grant.tmpl b/templates/user/auth/grant.tmpl
index e56241b0f8af4..198d388036fea 100644
--- a/templates/user/auth/grant.tmpl
+++ b/templates/user/auth/grant.tmpl
@@ -19,7 +19,6 @@
 		</div>
 		<div class="ui attached segment tw-text-center">
 			<form method="post" action="{{AppSubUrl}}/login/oauth/grant">
-				{{.CsrfTokenHtml}}
 				<input type="hidden" name="client_id" value="{{.Application.ClientID}}">
 				<input type="hidden" name="state" value="{{.State}}">
 				<input type="hidden" name="scope" value="{{.Scope}}">
diff --git a/templates/user/auth/reset_passwd.tmpl b/templates/user/auth/reset_passwd.tmpl
index 37a23b3e5592b..efe536649e7a8 100644
--- a/templates/user/auth/reset_passwd.tmpl
+++ b/templates/user/auth/reset_passwd.tmpl
@@ -3,7 +3,6 @@
 	<div class="ui middle very relaxed page grid">
 		<div class="column">
 			<form class="ui form ignore-dirty" action="{{.Link}}" method="post">
-				{{.CsrfTokenHtml}}
 				<input name="code" type="hidden" value="{{.Code}}">
 				<h2 class="ui top attached header">
 					{{ctx.Locale.Tr "auth.reset_password"}}
diff --git a/templates/user/auth/signin_inner.tmpl b/templates/user/auth/signin_inner.tmpl
index 5552363a0a051..f86195b0ef325 100644
--- a/templates/user/auth/signin_inner.tmpl
+++ b/templates/user/auth/signin_inner.tmpl
@@ -12,7 +12,6 @@
 	<div class="ui attached segment">
 		{{if .EnablePasswordSignInForm}}
 		<form class="ui form" action="{{.SignInLink}}" method="post">
-			{{.CsrfTokenHtml}}
 			<div class="required field {{if and (.Err_UserName) (or (not .LinkAccountMode) (and .LinkAccountMode .LinkAccountModeSignIn))}}error{{end}}">
 				<label for="user_name">{{ctx.Locale.Tr "home.uname_holder"}}</label>
 				<input id="user_name" type="text" name="user_name" value="{{.user_name}}" autofocus required tabindex="1">
diff --git a/templates/user/auth/signin_openid.tmpl b/templates/user/auth/signin_openid.tmpl
index 20c7bdc924acf..4deb0900d0ad2 100644
--- a/templates/user/auth/signin_openid.tmpl
+++ b/templates/user/auth/signin_openid.tmpl
@@ -14,7 +14,6 @@
 				</h4>
 				<div class="ui attached segment">
 					<form class="ui form tw-m-auto" action="{{.Link}}" method="post">
-						{{.CsrfTokenHtml}}
 						<div class="inline field">
 							{{ctx.Locale.Tr "auth.openid_signin_desc"}}
 						</div>
diff --git a/templates/user/auth/signup_inner.tmpl b/templates/user/auth/signup_inner.tmpl
index a3f6e1471f8d8..339118ac78e23 100644
--- a/templates/user/auth/signup_inner.tmpl
+++ b/templates/user/auth/signup_inner.tmpl
@@ -11,7 +11,6 @@
 			<p>{{ctx.Locale.Tr "auth.sign_up_tip"}}</p>
 		{{end}}
 		<form class="ui form" action="{{.SignUpLink}}" method="post">
-			{{.CsrfTokenHtml}}
 			{{if or (not .LinkAccountMode) (and .LinkAccountMode .LinkAccountModeRegister)}}
 			{{template "base/alert" .}}
 			{{end}}
diff --git a/templates/user/auth/signup_openid_connect.tmpl b/templates/user/auth/signup_openid_connect.tmpl
index 67e99b2f89249..c904ff4e35755 100644
--- a/templates/user/auth/signup_openid_connect.tmpl
+++ b/templates/user/auth/signup_openid_connect.tmpl
@@ -8,7 +8,6 @@
 		</h4>
 		<div class="ui attached segment">
 			<form class="ui form left-right-form" action="{{.Link}}" method="post">
-				{{.CsrfTokenHtml}}
 				<div class="inline field">
 					<span class="help">{{ctx.Locale.Tr "auth.openid_connect_desc"}}</span>
 				</div>
diff --git a/templates/user/auth/signup_openid_register.tmpl b/templates/user/auth/signup_openid_register.tmpl
index df6268d151142..bee1ca2d2ca66 100644
--- a/templates/user/auth/signup_openid_register.tmpl
+++ b/templates/user/auth/signup_openid_register.tmpl
@@ -11,7 +11,6 @@
 						{{ctx.Locale.Tr "auth.openid_register_desc"}}
 					</p>
 					<form class="ui form" action="{{.Link}}" method="post">
-					{{.CsrfTokenHtml}}
 					<div class="required field {{if .Err_UserName}}error{{end}}">
 						<label for="user_name">{{ctx.Locale.Tr "username"}}</label>
 						<input id="user_name" type="text" name="user_name" value="{{.user_name}}" autofocus required>
diff --git a/templates/user/auth/twofa.tmpl b/templates/user/auth/twofa.tmpl
index d24523917158b..51e1e5c806b8b 100644
--- a/templates/user/auth/twofa.tmpl
+++ b/templates/user/auth/twofa.tmpl
@@ -3,7 +3,6 @@
 	<div class="ui middle very relaxed page grid">
 		<div class="column">
 			<form class="ui form tw-max-w-2xl tw-m-auto" action="{{.Link}}" method="post">
-				{{.CsrfTokenHtml}}
 				<h3 class="ui top attached header">
 					{{ctx.Locale.Tr "twofa"}}
 				</h3>
diff --git a/templates/user/auth/twofa_scratch.tmpl b/templates/user/auth/twofa_scratch.tmpl
index 23ad77f2a902b..5014f247a5284 100644
--- a/templates/user/auth/twofa_scratch.tmpl
+++ b/templates/user/auth/twofa_scratch.tmpl
@@ -3,7 +3,6 @@
 	<div class="ui middle very relaxed page grid">
 		<div class="column">
 			<form class="ui form tw-max-w-2xl tw-m-auto" action="{{.Link}}" method="post">
-				{{.CsrfTokenHtml}}
 				<h3 class="ui top attached header">
 					{{ctx.Locale.Tr "twofa_scratch"}}
 				</h3>
diff --git a/templates/user/notification/notification_div.tmpl b/templates/user/notification/notification_div.tmpl
index b9faba2b90b20..4f9d4c17a1fa0 100644
--- a/templates/user/notification/notification_div.tmpl
+++ b/templates/user/notification/notification_div.tmpl
@@ -15,7 +15,6 @@
 			</div>
 			{{if and (not $pageTypeIsRead) $notificationUnreadCount}}
 				<form action="{{AppSubUrl}}/notifications/purge" method="post">
-					{{$.CsrfTokenHtml}}
 					<button class="ui mini button primary tw-mr-0" title="{{ctx.Locale.Tr "notification.mark_all_as_read"}}">
 						{{svg "octicon-checklist"}}
 					</button>
@@ -57,7 +56,6 @@
 					<form class="notifications-buttons" action="{{AppSubUrl}}/notifications/status?type={{$.PageType}}&page={{$.Page.Paginater.Current}}&perPage={{$.Page.Paginater.PagingNum}}" method="post"
 								hx-boost="true" hx-target="#notification_div" hx-swap="outerHTML"
 					>
-						{{$.CsrfTokenHtml}}
 						<input type="hidden" name="notification_id" value="{{$one.ID}}">
 						{{if ne $one.Status $statusPinned}}
 							<button class="btn interact-bg tw-p-2" data-tooltip-content="{{ctx.Locale.Tr "notification.pin"}}"
diff --git a/templates/user/settings/account.tmpl b/templates/user/settings/account.tmpl
index 7dbac0ebd45ad..aabdbbb8cbfb4 100644
--- a/templates/user/settings/account.tmpl
+++ b/templates/user/settings/account.tmpl
@@ -7,7 +7,6 @@
 			{{if and (not ($.UserDisabledFeatures.Contains "manage_credentials")) (or (.SignedUser.IsLocal) (.SignedUser.IsOAuth2))}}
 			<form class="ui form ignore-dirty" action="{{AppSubUrl}}/user/settings/account" method="post">
 				{{template "base/disable_form_autofill"}}
-				{{.CsrfTokenHtml}}
 				{{if .SignedUser.IsPasswordSet}}
 				<div class="required field {{if .Err_OldPassword}}error{{end}}">
 					<label for="old_password">{{ctx.Locale.Tr "settings.old_password"}}</label>
@@ -62,7 +61,6 @@
 								</button>
 								{{if .CanBePrimary}}
 									<form action="{{AppSubUrl}}/user/settings/account/email" method="post">
-										{{$.CsrfTokenHtml}}
 										<input name="_method" type="hidden" value="PRIMARY">
 										<input name="id" type="hidden" value="{{.ID}}">
 										<button class="ui primary tiny button">{{ctx.Locale.Tr "settings.primary_email"}}</button>
@@ -71,7 +69,6 @@
 							{{end}}
 							{{if not .IsActivated}}
 								<form action="{{AppSubUrl}}/user/settings/account/email" method="post">
-									{{$.CsrfTokenHtml}}
 									<input name="_method" type="hidden" value="SENDACTIVATION">
 									<input name="id" type="hidden" value="{{.ID}}">
 									{{if $.ActivationsPending}}
@@ -92,7 +89,6 @@
 		{{if not ($.UserDisabledFeatures.Contains "manage_credentials")}}
 		<div class="ui bottom attached segment">
 			<form class="ui form" action="{{AppSubUrl}}/user/settings/account/email" method="post">
-				{{.CsrfTokenHtml}}
 				<div class="required field {{if .Err_Email}}error{{end}}">
 					<label for="email">{{ctx.Locale.Tr "settings.add_new_email"}}</label>
 					<input id="email" name="email" type="email" required {{if not .CanAddEmails}}disabled{{end}}>
@@ -121,7 +117,6 @@
 			</div>
 			<form class="ui form ignore-dirty" id="delete-form" action="{{AppSubUrl}}/user/settings/account/delete" method="post">
 				{{template "base/disable_form_autofill"}}
-				{{.CsrfTokenHtml}}
 				<div class="required field {{if .Err_Password}}error{{end}}">
 					<label for="password-confirmation">{{ctx.Locale.Tr "password"}}</label>
 					<input id="password-confirmation" name="password" type="password" autocomplete="off" required>
diff --git a/templates/user/settings/appearance.tmpl b/templates/user/settings/appearance.tmpl
index 57538339b2c41..139ddab943d79 100644
--- a/templates/user/settings/appearance.tmpl
+++ b/templates/user/settings/appearance.tmpl
@@ -7,7 +7,6 @@
 		</h4>
 		<div class="ui attached segment">
 			<form class="ui form" action="{{.Link}}/theme" method="post">
-				{{.CsrfTokenHtml}}
 				<div class="field">
 					{{ctx.Locale.Tr "settings.theme_desc"}}
 					<a class="muted" target="_blank" href="https://github.com/go-gitea/gitea/blob/main/web_src/css/themes/" data-tooltip-content="{{ctx.Locale.Tr "settings.theme_colorblindness_prompt"}}">
@@ -42,7 +41,6 @@
 		</h4>
 		<div class="ui attached segment">
 			<form class="ui form" action="{{.Link}}/language" method="post">
-				{{.CsrfTokenHtml}}
 				<div class="field">
 					<div class="ui language selection dropdown" id="language">
 						<input name="language" type="hidden" value="{{.SignedUser.Language}}">
@@ -70,7 +68,6 @@
 				{{ctx.Locale.Tr "settings.hidden_comment_types_description"}}
 			</p>
 			<form class="ui form" action="{{.Link}}/hidden_comments" method="post">
-				{{.CsrfTokenHtml}}
 				<div class="inline field">
 					<div class="ui checkbox" data-tooltip-content="{{ctx.Locale.Tr "settings.hidden_comment_types.ref_tooltip"}}">
 						<input name="reference" type="checkbox" {{if(call .IsCommentTypeGroupChecked "reference")}}checked{{end}}>
diff --git a/templates/user/settings/applications.tmpl b/templates/user/settings/applications.tmpl
index 8c24da7fc953b..cae00b966bf7e 100644
--- a/templates/user/settings/applications.tmpl
+++ b/templates/user/settings/applications.tmpl
@@ -53,7 +53,6 @@
 			<details {{if or .name (not .Tokens)}}open{{end}}>
 				<summary><h4 class="ui header tw-inline-block tw-my-2">{{ctx.Locale.Tr "settings.generate_new_token"}}</h4></summary>
 				<form class="ui form ignore-dirty" action="{{.Link}}" method="post">
-					{{.CsrfTokenHtml}}
 					<div class="field {{if .Err_Name}}error{{end}}">
 						<label for="name">{{ctx.Locale.Tr "settings.token_name"}}</label>
 						<input id="name" name="name" value="{{.name}}" required maxlength="255">
diff --git a/templates/user/settings/applications_oauth2_edit_form.tmpl b/templates/user/settings/applications_oauth2_edit_form.tmpl
index 944729117cb09..4323e4d9852c1 100644
--- a/templates/user/settings/applications_oauth2_edit_form.tmpl
+++ b/templates/user/settings/applications_oauth2_edit_form.tmpl
@@ -5,7 +5,6 @@
 	<p>{{ctx.Locale.Tr "settings.oauth2_application_create_description"}}</p>
 </div>
 <div class="ui attached segment form ignore-dirty">
-	{{.CsrfTokenHtml}}
 	<div class="field">
 		<label for="client-id">{{ctx.Locale.Tr "settings.oauth2_client_id"}}</label>
 		<input id="client-id" readonly value="{{.App.ClientID}}">
@@ -24,7 +23,6 @@
 	<div class="item">
 		<!-- TODO add regenerate secret functionality */ -->
 		<form class="ui form ignore-dirty" action="{{.FormActionPath}}/regenerate_secret" method="post">
-			{{.CsrfTokenHtml}}
 			{{ctx.Locale.Tr "settings.oauth2_regenerate_secret_hint"}}
 			<button class="ui mini button tw-ml-2" type="submit">{{ctx.Locale.Tr "settings.oauth2_regenerate_secret"}}</button>
 		</form>
@@ -32,7 +30,6 @@
 </div>
 <div class="ui bottom attached segment">
 	<form class="ui form ignore-dirty" action="{{.FormActionPath}}" method="post">
-		{{.CsrfTokenHtml}}
 		<div class="field {{if .Err_AppName}}error{{end}}">
 			<label for="application-name">{{ctx.Locale.Tr "settings.oauth2_application_name"}}</label>
 			<input id="application-name" value="{{.App.Name}}" name="application_name" required maxlength="255">
diff --git a/templates/user/settings/applications_oauth2_list.tmpl b/templates/user/settings/applications_oauth2_list.tmpl
index 418d8e9cfc1ac..e1439a9369ac4 100644
--- a/templates/user/settings/applications_oauth2_list.tmpl
+++ b/templates/user/settings/applications_oauth2_list.tmpl
@@ -51,7 +51,6 @@
 	<details {{if .application_name}}open{{end}}>
 		<summary><h4 class="ui header tw-inline-block tw-my-2">{{ctx.Locale.Tr "settings.create_oauth2_application"}}</h4></summary>
 		<form class="ui form ignore-dirty" action="{{.Link}}/oauth2" method="post">
-			{{.CsrfTokenHtml}}
 			<div class="field {{if .Err_AppName}}error{{end}}">
 				<label for="application-name">{{ctx.Locale.Tr "settings.oauth2_application_name"}}</label>
 				<input id="application-name" name="application_name" value="{{.application_name}}" required maxlength="255">
diff --git a/templates/user/settings/keys_gpg.tmpl b/templates/user/settings/keys_gpg.tmpl
index bb45ea58c5cb4..1c85605648b89 100644
--- a/templates/user/settings/keys_gpg.tmpl
+++ b/templates/user/settings/keys_gpg.tmpl
@@ -7,7 +7,6 @@
 <div class="ui attached segment">
 	<div class="{{if not .HasGPGError}}tw-hidden{{end}} tw-mb-4" id="add-gpg-key-panel">
 		<form class="ui form{{if .HasGPGError}} error{{end}}" action="{{.Link}}" method="post">
-			{{.CsrfTokenHtml}}
 			<input type="hidden" name="title" value="none">
 			<div class="field {{if .Err_Content}}error{{end}}">
 				<label for="gpg-key-content">{{ctx.Locale.Tr "settings.key_content"}}</label>
@@ -81,7 +80,6 @@
 				<div class="ui  segment">
 					<h4>{{ctx.Locale.Tr "settings.gpg_token_required"}}</h4>
 					<form class="ui form{{if $.HasGPGVerifyError}} error{{end}}" action="{{$.Link}}" method="post">
-						{{$.CsrfTokenHtml}}
 						<input type="hidden" name="title" value="none">
 						<input type="hidden" name="content" value="{{.KeyID}}">
 						<input type="hidden" name="key_id" value="{{.KeyID}}">
diff --git a/templates/user/settings/keys_principal.tmpl b/templates/user/settings/keys_principal.tmpl
index cf335f726d44c..2b442338a66bb 100644
--- a/templates/user/settings/keys_principal.tmpl
+++ b/templates/user/settings/keys_principal.tmpl
@@ -42,7 +42,6 @@
 		</h4>
 		<div class="ui attached segment">
 			<form class="ui form" action="{{.Link}}" method="post">
-				{{.CsrfTokenHtml}}
 				<div class="field {{if .Err_Content}}error{{end}}">
 					<label for="ssh-principal-content">{{ctx.Locale.Tr "settings.principal_content"}}</label>
 					<input id="ssh-principal-content" name="content" value="{{.content}}" autofocus required>
diff --git a/templates/user/settings/keys_ssh.tmpl b/templates/user/settings/keys_ssh.tmpl
index 02bcc937ffab9..f5aa25f4bdd07 100644
--- a/templates/user/settings/keys_ssh.tmpl
+++ b/templates/user/settings/keys_ssh.tmpl
@@ -9,7 +9,6 @@
 <div class="ui attached segment">
 	<div class="{{if not .HasSSHError}}tw-hidden{{end}} tw-mb-4" id="add-ssh-key-panel">
 		<form class="ui form" action="{{.Link}}" method="post">
-			{{.CsrfTokenHtml}}
 			<div class="field {{if .Err_Title}}error{{end}}">
 				<label for="ssh-key-title">{{ctx.Locale.Tr "settings.key_name"}}</label>
 				<input id="ssh-key-title" name="title" value="{{.title}}" autofocus required maxlength="50">
@@ -69,7 +68,6 @@
 				<div class="ui segment">
 					<h4>{{ctx.Locale.Tr "settings.ssh_token_required"}}</h4>
 					<form class="ui form{{if $.HasSSHVerifyError}} error{{end}}" action="{{$.Link}}" method="post">
-						{{$.CsrfTokenHtml}}
 						<input type="hidden" name="title" value="none">
 						<input type="hidden" name="content" value="{{.Content}}">
 						<input type="hidden" name="fingerprint" value="{{.Fingerprint}}">
diff --git a/templates/user/settings/notifications.tmpl b/templates/user/settings/notifications.tmpl
index 40094aab4ca3d..b57b63ac42456 100644
--- a/templates/user/settings/notifications.tmpl
+++ b/templates/user/settings/notifications.tmpl
@@ -7,7 +7,6 @@
 			<div class="ui list flex-items-block">
 				<div class="item">
 					<form class="ui form tw-w-full" action="{{AppSubUrl}}/user/settings/notifications/email" method="post">
-						{{$.CsrfTokenHtml}}
 						<div class="field">
 							<label>{{ctx.Locale.Tr "settings.email_desc"}}</label>
 							<div class="ui selection dropdown">
@@ -38,7 +37,6 @@
 			<div class="ui list flex-items-block">
 				<div class="item">
 					<form class="ui form tw-w-full" action="{{AppSubUrl}}/user/settings/notifications/actions" method="post">
-						{{$.CsrfTokenHtml}}
 						<div class="field">
 							<label>{{ctx.Locale.Tr "settings.email_notifications.actions.desc" "https://docs.gitea.com/usage/actions/overview/"}}</label>
 							<div class="ui selection dropdown">
diff --git a/templates/user/settings/organization.tmpl b/templates/user/settings/organization.tmpl
index a48ca9ec9bcd9..0dd89b2fd718c 100644
--- a/templates/user/settings/organization.tmpl
+++ b/templates/user/settings/organization.tmpl
@@ -24,7 +24,6 @@
 						</div>
 						<div class="flex-item-trailing">
 							<form>
-								{{$.CsrfTokenHtml}}
 								<button class="ui red button delete-button" data-modal-id="leave-organization"
 												data-url="{{.OrganisationLink}}/members/action/leave" data-datauid="{{$.SignedUser.ID}}"
 												data-name="{{$.SignedUser.DisplayName}}"
diff --git a/templates/user/settings/packages.tmpl b/templates/user/settings/packages.tmpl
index 80853eab14dfb..ef4a7c8be2890 100644
--- a/templates/user/settings/packages.tmpl
+++ b/templates/user/settings/packages.tmpl
@@ -12,7 +12,6 @@
 					<label>{{ctx.Locale.Tr "packages.owner.settings.chef.keypair.description"}}</label>
 				</div>
 				<form class="field" action="{{.Link}}/chef/regenerate_keypair" method="post">
-					{{.CsrfTokenHtml}}
 					<button class="ui primary button">{{ctx.Locale.Tr "packages.owner.settings.chef.keypair"}}</button>
 				</form>
 				<div class="field">
diff --git a/templates/user/settings/profile.tmpl b/templates/user/settings/profile.tmpl
index d8e5e27b896a6..4bef937b43137 100644
--- a/templates/user/settings/profile.tmpl
+++ b/templates/user/settings/profile.tmpl
@@ -6,7 +6,6 @@
 		<div class="ui attached segment">
 			<p>{{ctx.Locale.Tr "settings.profile_desc"}}</p>
 			<form class="ui form" action="{{.Link}}" method="post">
-				{{.CsrfTokenHtml}}
 				<div class="required field {{if .Err_Name}}error{{end}}">
 					<label for="username">{{ctx.Locale.Tr "username"}}
 						<span class="text red tw-hidden" id="name-change-prompt"> {{ctx.Locale.Tr "settings.change_username_prompt"}}</span>
@@ -102,7 +101,6 @@
 		</h4>
 		<div class="ui attached segment">
 			<form class="ui form" action="{{.Link}}/avatar" method="post" enctype="multipart/form-data">
-				{{.CsrfTokenHtml}}
 				{{if not .DisableGravatar}}
 				<div class="inline field">
 					<div class="ui radio checkbox">
diff --git a/templates/user/settings/repos.tmpl b/templates/user/settings/repos.tmpl
index 4aed8070de04b..89c44003255c4 100644
--- a/templates/user/settings/repos.tmpl
+++ b/templates/user/settings/repos.tmpl
@@ -43,7 +43,6 @@
 														<p>{{ctx.Locale.Tr "repo.adopt_preexisting_content" $dir}}</p>
 													</div>
 													<form class="ui form" method="post" action="{{AppSubUrl}}/user/settings/repos/unadopted">
-														{{$.CsrfTokenHtml}}
 														<input type="hidden" name="id" value="{{$dir}}">
 														<input type="hidden" name="action" value="adopt">
 														{{template "base/modal_actions_confirm" $}}
@@ -60,7 +59,6 @@
 														<p>{{ctx.Locale.Tr "repo.delete_preexisting_content" $dir}}</p>
 													</div>
 													<form class="ui form" method="post" action="{{AppSubUrl}}/user/settings/repos/unadopted">
-														{{$.CsrfTokenHtml}}
 														<input type="hidden" name="id" value="{{$dir}}">
 														<input type="hidden" name="action" value="delete">
 														{{template "base/modal_actions_confirm" $}}
diff --git a/templates/user/settings/security/openid.tmpl b/templates/user/settings/security/openid.tmpl
index 87ba953e79eb9..3e7a478bf4a68 100644
--- a/templates/user/settings/security/openid.tmpl
+++ b/templates/user/settings/security/openid.tmpl
@@ -16,7 +16,6 @@
 				</div>
 				<div class="flex-item-trailing">
 					<form action="{{AppSubUrl}}/user/settings/security/openid/toggle_visibility" method="post">
-						{{$.CsrfTokenHtml}}
 						<input name="id" type="hidden" value="{{.ID}}">
 						{{if .Show}}
 							<button class="ui tiny button">
@@ -40,7 +39,6 @@
 </div>
 <div class="ui bottom attached segment">
 	<form class="ui form" action="{{AppSubUrl}}/user/settings/security/openid" method="post">
-		{{.CsrfTokenHtml}}
 		<div class="required field {{if .Err_OpenID}}error{{end}}">
 			<label for="openid">{{ctx.Locale.Tr "settings.add_new_openid"}}</label>
 			<input id="openid" name="openid" type="text" required>
diff --git a/templates/user/settings/security/twofa.tmpl b/templates/user/settings/security/twofa.tmpl
index adebce4265379..29dd9df6c8f7a 100644
--- a/templates/user/settings/security/twofa.tmpl
+++ b/templates/user/settings/security/twofa.tmpl
@@ -6,12 +6,10 @@
 	{{if .TOTPEnrolled}}
 	<p>{{ctx.Locale.Tr "settings.twofa_is_enrolled"}}</p>
 	<form class="ui form" action="{{AppSubUrl}}/user/settings/security/two_factor/regenerate_scratch" method="post" enctype="multipart/form-data">
-		{{.CsrfTokenHtml}}
 		<p>{{ctx.Locale.Tr "settings.regenerate_scratch_token_desc"}}</p>
 		<button class="ui primary button">{{ctx.Locale.Tr "settings.twofa_scratch_token_regenerate"}}</button>
 	</form>
 	<form class="ui form" action="{{AppSubUrl}}/user/settings/security/two_factor/disable" method="post" enctype="multipart/form-data" id="disable-form">
-		{{.CsrfTokenHtml}}
 		<p>{{ctx.Locale.Tr "settings.twofa_disable_note"}}</p>
 		<button class="ui red button delete-button" data-modal-id="disable-twofa" data-type="form" data-form="#disable-form">{{ctx.Locale.Tr "settings.twofa_disable"}}</button>
 	</form>
diff --git a/templates/user/settings/security/twofa_enroll.tmpl b/templates/user/settings/security/twofa_enroll.tmpl
index d6bfadf0849d1..6232bd7827da6 100644
--- a/templates/user/settings/security/twofa_enroll.tmpl
+++ b/templates/user/settings/security/twofa_enroll.tmpl
@@ -9,7 +9,6 @@
 			<p>{{ctx.Locale.Tr "settings.or_enter_secret" .TwofaSecret}}</p>
 			<p>{{ctx.Locale.Tr "settings.then_enter_passcode"}}</p>
 			<form class="ui form" action="{{.Link}}" method="post">
-				{{.CsrfTokenHtml}}
 				<div class="inline required field {{if .Err_Passcode}}error{{end}}">
 					<label for="passcode">{{ctx.Locale.Tr "passcode"}}</label>
 					<input id="passcode" name="passcode" autofocus required>
diff --git a/tests/integration/actions_approve_test.go b/tests/integration/actions_approve_test.go
index 04b8bcb715676..f2d6f75f88cb4 100644
--- a/tests/integration/actions_approve_test.go
+++ b/tests/integration/actions_approve_test.go
@@ -127,10 +127,7 @@ jobs:
 		)
 
 		// user2 approves all runs
-		req = NewRequestWithValues(t, "POST", dataURL,
-			map[string]string{
-				"_csrf": GetUserCSRFToken(t, user2Session),
-			})
+		req = NewRequest(t, "POST", dataURL)
 		user2Session.MakeRequest(t, req, http.StatusOK)
 
 		// check runs
diff --git a/tests/integration/actions_concurrency_test.go b/tests/integration/actions_concurrency_test.go
index cc61368260529..653376d5548f1 100644
--- a/tests/integration/actions_concurrency_test.go
+++ b/tests/integration/actions_concurrency_test.go
@@ -51,7 +51,7 @@ func TestWorkflowConcurrency(t *testing.T) {
 
 		wf1TreePath := ".gitea/workflows/concurrent-workflow-1.yml"
 		wf1FileContent := `name: concurrent-workflow-1
-on: 
+on:
   push:
     paths:
       - '.gitea/workflows/concurrent-workflow-1.yml'
@@ -65,7 +65,7 @@ jobs:
 `
 		wf2TreePath := ".gitea/workflows/concurrent-workflow-2.yml"
 		wf2FileContent := `name: concurrent-workflow-2
-on: 
+on:
   push:
     paths:
       - '.gitea/workflows/concurrent-workflow-2.yml'
@@ -79,7 +79,7 @@ jobs:
 `
 		wf3TreePath := ".gitea/workflows/concurrent-workflow-3.yml"
 		wf3FileContent := `name: concurrent-workflow-3
-on: 
+on:
   push:
     paths:
       - '.gitea/workflows/concurrent-workflow-3.yml'
@@ -159,7 +159,7 @@ func TestWorkflowConcurrencyShort(t *testing.T) {
 
 		wf1TreePath := ".gitea/workflows/concurrent-workflow-1.yml"
 		wf1FileContent := `name: concurrent-workflow-1
-on: 
+on:
   push:
     paths:
       - '.gitea/workflows/concurrent-workflow-1.yml'
@@ -172,7 +172,7 @@ jobs:
 `
 		wf2TreePath := ".gitea/workflows/concurrent-workflow-2.yml"
 		wf2FileContent := `name: concurrent-workflow-2
-on: 
+on:
   push:
     paths:
       - '.gitea/workflows/concurrent-workflow-2.yml'
@@ -185,7 +185,7 @@ jobs:
 `
 		wf3TreePath := ".gitea/workflows/concurrent-workflow-3.yml"
 		wf3FileContent := `name: concurrent-workflow-3
-on: 
+on:
   push:
     paths:
       - '.gitea/workflows/concurrent-workflow-3.yml'
@@ -264,7 +264,7 @@ func TestWorkflowConcurrencyShortJson(t *testing.T) {
 
 		wf1TreePath := ".gitea/workflows/concurrent-workflow-1.yml"
 		wf1FileContent := `name: concurrent-workflow-1
-on: 
+on:
   push:
     paths:
       - '.gitea/workflows/concurrent-workflow-1.yml'
@@ -281,7 +281,7 @@ jobs:
 `
 		wf2TreePath := ".gitea/workflows/concurrent-workflow-2.yml"
 		wf2FileContent := `name: concurrent-workflow-2
-on: 
+on:
   push:
     paths:
       - '.gitea/workflows/concurrent-workflow-2.yml'
@@ -298,7 +298,7 @@ jobs:
 `
 		wf3TreePath := ".gitea/workflows/concurrent-workflow-3.yml"
 		wf3FileContent := `name: concurrent-workflow-3
-on: 
+on:
   push:
     paths:
       - '.gitea/workflows/concurrent-workflow-3.yml'
@@ -454,11 +454,7 @@ jobs:
 		runner.fetchNoTask(t)
 		// user2 approves the run
 		pr2Run1 := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{RepoID: baseRepo.ID, TriggerUserID: user4.ID})
-		req = NewRequestWithValues(t, "POST",
-			fmt.Sprintf("/%s/%s/actions/runs/%d/approve", baseRepo.OwnerName, baseRepo.Name, pr2Run1.Index),
-			map[string]string{
-				"_csrf": GetUserCSRFToken(t, user2Session),
-			})
+		req = NewRequest(t, "POST", fmt.Sprintf("/%s/%s/actions/runs/%d/approve", baseRepo.OwnerName, baseRepo.Name, pr2Run1.Index))
 		user2Session.MakeRequest(t, req, http.StatusOK)
 		// fetch the task and the previous task has been cancelled
 		pr2Task1 := runner.fetchTask(t)
@@ -532,7 +528,7 @@ func TestJobConcurrency(t *testing.T) {
 
 		wf1TreePath := ".gitea/workflows/concurrent-workflow-1.yml"
 		wf1FileContent := `name: concurrent-workflow-1
-on: 
+on:
   push:
     paths:
       - '.gitea/workflows/concurrent-workflow-1.yml'
@@ -546,7 +542,7 @@ jobs:
 `
 		wf2TreePath := ".gitea/workflows/concurrent-workflow-2.yml"
 		wf2FileContent := `name: concurrent-workflow-2
-on: 
+on:
   push:
     paths:
       - '.gitea/workflows/concurrent-workflow-2.yml'
@@ -554,7 +550,7 @@ jobs:
   wf2-job1:
     runs-on: runner2
     outputs:
-      version: ${{ steps.version_step.outputs.app_version }} 
+      version: ${{ steps.version_step.outputs.app_version }}
     steps:
       - id: version_step
         run: echo "app_version=v1.23.0" >> "$GITHUB_OUTPUT"
@@ -568,7 +564,7 @@ jobs:
 `
 		wf3TreePath := ".gitea/workflows/concurrent-workflow-3.yml"
 		wf3FileContent := `name: concurrent-workflow-3
-on: 
+on:
   push:
     paths:
       - '.gitea/workflows/concurrent-workflow-3.yml'
@@ -624,9 +620,7 @@ jobs:
 		assert.Equal(t, actions_model.StatusCancelled, wf2Job2ActionJob.Status)
 
 		// rerun wf2
-		req = NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/%s/actions/runs/%d/rerun", user2.Name, repo.Name, wf2Run.Index), map[string]string{
-			"_csrf": GetUserCSRFToken(t, session),
-		})
+		req = NewRequest(t, "POST", fmt.Sprintf("/%s/%s/actions/runs/%d/rerun", user2.Name, repo.Name, wf2Run.Index))
 		_ = session.MakeRequest(t, req, http.StatusOK)
 
 		// (rerun1) cannot fetch wf2-job2
@@ -650,9 +644,7 @@ jobs:
 		assert.Equal(t, "job-main-v1.24.0", wf2Job2Rerun1Job.ConcurrencyGroup)
 
 		// rerun wf2-job2
-		req = NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/%s/actions/runs/%d/jobs/%d/rerun", user2.Name, repo.Name, wf2Run.Index, 1), map[string]string{
-			"_csrf": GetUserCSRFToken(t, session),
-		})
+		req = NewRequest(t, "POST", fmt.Sprintf("/%s/%s/actions/runs/%d/jobs/%d/rerun", user2.Name, repo.Name, wf2Run.Index, 1))
 		_ = session.MakeRequest(t, req, http.StatusOK)
 		// (rerun2) fetch and exec wf2-job2
 		wf2Job2Rerun2Task := runner1.fetchTask(t)
@@ -684,7 +676,7 @@ func TestMatrixConcurrency(t *testing.T) {
 
 		wf1TreePath := ".gitea/workflows/concurrent-workflow-1.yml"
 		wf1FileContent := `name: concurrent-workflow-1
-on: 
+on:
   push:
     paths:
       - '.gitea/workflows/concurrent-workflow-1.yml'
@@ -702,7 +694,7 @@ jobs:
 
 		wf2TreePath := ".gitea/workflows/concurrent-workflow-2.yml"
 		wf2FileContent := `name: concurrent-workflow-2
-on: 
+on:
   push:
     paths:
       - '.gitea/workflows/concurrent-workflow-2.yml'
@@ -806,7 +798,6 @@ jobs:
 		// run the workflow with appVersion=v1.21 and cancel=false
 		urlStr := fmt.Sprintf("/%s/%s/actions/run?workflow=%s", user2.Name, repo.Name, "workflow-dispatch-concurrency.yml")
 		req := NewRequestWithValues(t, "POST", urlStr, map[string]string{
-			"_csrf":      GetUserCSRFToken(t, session),
 			"ref":        "refs/heads/main",
 			"appVersion": "v1.21",
 		})
@@ -817,7 +808,6 @@ jobs:
 
 		// run the workflow with appVersion=v1.22 and cancel=false
 		req = NewRequestWithValues(t, "POST", urlStr, map[string]string{
-			"_csrf":      GetUserCSRFToken(t, session),
 			"ref":        "refs/heads/main",
 			"appVersion": "v1.22",
 		})
@@ -828,7 +818,6 @@ jobs:
 
 		// run the workflow with appVersion=v1.22 and cancel=false again
 		req = NewRequestWithValues(t, "POST", urlStr, map[string]string{
-			"_csrf":      GetUserCSRFToken(t, session),
 			"ref":        "refs/heads/main",
 			"appVersion": "v1.22",
 		})
@@ -837,7 +826,6 @@ jobs:
 
 		// run the workflow with appVersion=v1.22 and cancel=true
 		req = NewRequestWithValues(t, "POST", urlStr, map[string]string{
-			"_csrf":      GetUserCSRFToken(t, session),
 			"ref":        "refs/heads/main",
 			"appVersion": "v1.22",
 			"cancel":     "on",
@@ -900,7 +888,6 @@ jobs:
 		// run the workflow with appVersion=v1.21 and cancel=false
 		urlStr := fmt.Sprintf("/%s/%s/actions/run?workflow=%s", user2.Name, repo.Name, "workflow-dispatch-concurrency.yml")
 		req := NewRequestWithValues(t, "POST", urlStr, map[string]string{
-			"_csrf":      GetUserCSRFToken(t, session),
 			"ref":        "refs/heads/main",
 			"appVersion": "v1.21",
 		})
@@ -910,7 +897,6 @@ jobs:
 		assert.Equal(t, "workflow-dispatch-v1.21", run1.ConcurrencyGroup)
 
 		req = NewRequestWithValues(t, "POST", urlStr, map[string]string{
-			"_csrf":      GetUserCSRFToken(t, session),
 			"ref":        "refs/heads/main",
 			"appVersion": "v1.22",
 		})
@@ -921,7 +907,6 @@ jobs:
 
 		// run the workflow with appVersion=v1.22 and cancel=false again
 		req = NewRequestWithValues(t, "POST", urlStr, map[string]string{
-			"_csrf":      GetUserCSRFToken(t, session),
 			"ref":        "refs/heads/main",
 			"appVersion": "v1.22",
 		})
@@ -931,7 +916,6 @@ jobs:
 
 		// run the workflow with appVersion=v1.22 and cancel=true
 		req = NewRequestWithValues(t, "POST", urlStr, map[string]string{
-			"_csrf":      GetUserCSRFToken(t, session),
 			"ref":        "refs/heads/main",
 			"appVersion": "v1.22",
 			"cancel":     "on",
@@ -950,14 +934,10 @@ jobs:
 
 		// rerun cancel true scenario
 
-		req = NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/%s/actions/runs/%d/rerun", user2.Name, apiRepo.Name, run2.Index), map[string]string{
-			"_csrf": GetUserCSRFToken(t, session),
-		})
+		req = NewRequest(t, "POST", fmt.Sprintf("/%s/%s/actions/runs/%d/rerun", user2.Name, apiRepo.Name, run2.Index))
 		_ = session.MakeRequest(t, req, http.StatusOK)
 
-		req = NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/%s/actions/runs/%d/rerun", user2.Name, apiRepo.Name, run4.Index), map[string]string{
-			"_csrf": GetUserCSRFToken(t, session),
-		})
+		req = NewRequest(t, "POST", fmt.Sprintf("/%s/%s/actions/runs/%d/rerun", user2.Name, apiRepo.Name, run4.Index))
 		_ = session.MakeRequest(t, req, http.StatusOK)
 
 		task5 := runner.fetchTask(t)
@@ -973,17 +953,13 @@ jobs:
 
 		// rerun cancel false scenario
 
-		req = NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/%s/actions/runs/%d/rerun", user2.Name, apiRepo.Name, run2.Index), map[string]string{
-			"_csrf": GetUserCSRFToken(t, session),
-		})
+		req = NewRequest(t, "POST", fmt.Sprintf("/%s/%s/actions/runs/%d/rerun", user2.Name, apiRepo.Name, run2.Index))
 		_ = session.MakeRequest(t, req, http.StatusOK)
 
 		run2_2 := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{ID: run2.ID})
 		assert.Equal(t, actions_model.StatusWaiting, run2_2.Status)
 
-		req = NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/%s/actions/runs/%d/rerun", user2.Name, apiRepo.Name, run2.Index+1), map[string]string{
-			"_csrf": GetUserCSRFToken(t, session),
-		})
+		req = NewRequest(t, "POST", fmt.Sprintf("/%s/%s/actions/runs/%d/rerun", user2.Name, apiRepo.Name, run2.Index+1))
 		_ = session.MakeRequest(t, req, http.StatusOK)
 
 		task6 := runner.fetchTask(t)
@@ -1044,7 +1020,6 @@ jobs:
 		// run the workflow with appVersion=v1.21 and cancel=false
 		urlStr := fmt.Sprintf("/%s/%s/actions/run?workflow=%s", user2.Name, repo.Name, "workflow-dispatch-concurrency.yml")
 		req := NewRequestWithValues(t, "POST", urlStr, map[string]string{
-			"_csrf":      GetUserCSRFToken(t, session),
 			"ref":        "refs/heads/main",
 			"appVersion": "v1.21",
 		})
@@ -1054,7 +1029,6 @@ jobs:
 		assert.Equal(t, "workflow-dispatch-v1.21", run1.ConcurrencyGroup)
 
 		req = NewRequestWithValues(t, "POST", urlStr, map[string]string{
-			"_csrf":      GetUserCSRFToken(t, session),
 			"ref":        "refs/heads/main",
 			"appVersion": "v1.22",
 		})
@@ -1065,7 +1039,6 @@ jobs:
 
 		// run the workflow with appVersion=v1.22 and cancel=false again
 		req = NewRequestWithValues(t, "POST", urlStr, map[string]string{
-			"_csrf":      GetUserCSRFToken(t, session),
 			"ref":        "refs/heads/main",
 			"appVersion": "v1.22",
 		})
@@ -1075,7 +1048,6 @@ jobs:
 
 		// run the workflow with appVersion=v1.22 and cancel=true
 		req = NewRequestWithValues(t, "POST", urlStr, map[string]string{
-			"_csrf":      GetUserCSRFToken(t, session),
 			"ref":        "refs/heads/main",
 			"appVersion": "v1.22",
 			"cancel":     "on",
@@ -1094,14 +1066,10 @@ jobs:
 
 		// rerun cancel true scenario
 
-		req = NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/%s/actions/runs/%d/jobs/%d/rerun", user2.Name, apiRepo.Name, run2.Index, 1), map[string]string{
-			"_csrf": GetUserCSRFToken(t, session),
-		})
+		req = NewRequest(t, "POST", fmt.Sprintf("/%s/%s/actions/runs/%d/jobs/%d/rerun", user2.Name, apiRepo.Name, run2.Index, 1))
 		_ = session.MakeRequest(t, req, http.StatusOK)
 
-		req = NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/%s/actions/runs/%d/jobs/%d/rerun", user2.Name, apiRepo.Name, run4.Index, 1), map[string]string{
-			"_csrf": GetUserCSRFToken(t, session),
-		})
+		req = NewRequest(t, "POST", fmt.Sprintf("/%s/%s/actions/runs/%d/jobs/%d/rerun", user2.Name, apiRepo.Name, run4.Index, 1))
 		_ = session.MakeRequest(t, req, http.StatusOK)
 
 		task5 := runner.fetchTask(t)
@@ -1117,17 +1085,13 @@ jobs:
 
 		// rerun cancel false scenario
 
-		req = NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/%s/actions/runs/%d/jobs/%d/rerun", user2.Name, apiRepo.Name, run2.Index, 1), map[string]string{
-			"_csrf": GetUserCSRFToken(t, session),
-		})
+		req = NewRequest(t, "POST", fmt.Sprintf("/%s/%s/actions/runs/%d/jobs/%d/rerun", user2.Name, apiRepo.Name, run2.Index, 1))
 		_ = session.MakeRequest(t, req, http.StatusOK)
 
 		run2_2 := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{ID: run2.ID})
 		assert.Equal(t, actions_model.StatusWaiting, run2_2.Status)
 
-		req = NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/%s/actions/runs/%d/jobs/%d/rerun", user2.Name, apiRepo.Name, run2.Index+1, 1), map[string]string{
-			"_csrf": GetUserCSRFToken(t, session),
-		})
+		req = NewRequest(t, "POST", fmt.Sprintf("/%s/%s/actions/runs/%d/jobs/%d/rerun", user2.Name, apiRepo.Name, run2.Index+1, 1))
 		_ = session.MakeRequest(t, req, http.StatusOK)
 
 		task6 := runner.fetchTask(t)
@@ -1259,7 +1223,7 @@ func TestWorkflowAndJobConcurrency(t *testing.T) {
 
 		wf1TreePath := ".gitea/workflows/concurrent-workflow-1.yml"
 		wf1FileContent := `name: concurrent-workflow-1
-on: 
+on:
   push:
     paths:
       - '.gitea/workflows/concurrent-workflow-1.yml'
@@ -1281,7 +1245,7 @@ jobs:
 `
 		wf2TreePath := ".gitea/workflows/concurrent-workflow-2.yml"
 		wf2FileContent := `name: concurrent-workflow-2
-on: 
+on:
   push:
     paths:
       - '.gitea/workflows/concurrent-workflow-2.yml'
@@ -1303,7 +1267,7 @@ jobs:
 `
 		wf3TreePath := ".gitea/workflows/concurrent-workflow-3.yml"
 		wf3FileContent := `name: concurrent-workflow-3
-on: 
+on:
   push:
     paths:
       - '.gitea/workflows/concurrent-workflow-3.yml'
@@ -1320,7 +1284,7 @@ jobs:
 
 		wf4TreePath := ".gitea/workflows/concurrent-workflow-4.yml"
 		wf4FileContent := `name: concurrent-workflow-4
-on: 
+on:
   push:
     paths:
       - '.gitea/workflows/concurrent-workflow-4.yml'
@@ -1491,9 +1455,7 @@ jobs:
 		runner.fetchNoTask(t)
 
 		// cancel the first run
-		req := NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/%s/actions/runs/%d/cancel", user2.Name, repo.Name, run1.Index), map[string]string{
-			"_csrf": GetUserCSRFToken(t, user2Session),
-		})
+		req := NewRequest(t, "POST", fmt.Sprintf("/%s/%s/actions/runs/%d/cancel", user2.Name, repo.Name, run1.Index))
 		user2Session.MakeRequest(t, req, http.StatusOK)
 
 		// the first run has been cancelled
@@ -1525,7 +1487,7 @@ func TestAbandonConcurrentRun(t *testing.T) {
 
 		wf1TreePath := ".gitea/workflows/workflow-1.yml"
 		wf1FileContent := `name: Workflow-1
-on: 
+on:
   push:
     paths:
       - '.gitea/workflows/workflow-1.yml'
@@ -1544,7 +1506,7 @@ jobs:
 
 		wf2TreePath := ".gitea/workflows/workflow-2.yml"
 		wf2FileContent := `name: Workflow-2
-on: 
+on:
   push:
     paths:
       - '.gitea/workflows/workflow-2.yml'
@@ -1624,7 +1586,7 @@ func TestRunAndJobWithSameConcurrencyGroup(t *testing.T) {
 
 		wf1TreePath := ".gitea/workflows/concurrent-workflow-1.yml"
 		wf1FileContent := `name: concurrent-workflow-1
-on: 
+on:
   push:
     paths:
       - '.gitea/workflows/concurrent-workflow-1.yml'
@@ -1638,7 +1600,7 @@ jobs:
 `
 		wf2TreePath := ".gitea/workflows/concurrent-workflow-2.yml"
 		wf2FileContent := `name: concurrent-workflow-2
-on: 
+on:
   push:
     paths:
       - '.gitea/workflows/concurrent-workflow-2.yml'
@@ -1652,7 +1614,7 @@ jobs:
 `
 		wf3TreePath := ".gitea/workflows/concurrent-workflow-3.yml"
 		wf3FileContent := `name: concurrent-workflow-3
-on: 
+on:
   push:
     paths:
       - '.gitea/workflows/concurrent-workflow-3.yml'
diff --git a/tests/integration/actions_delete_run_test.go b/tests/integration/actions_delete_run_test.go
index 22f9a1f7409da..4e53d23bd414b 100644
--- a/tests/integration/actions_delete_run_test.go
+++ b/tests/integration/actions_delete_run_test.go
@@ -133,9 +133,7 @@ jobs:
 		}
 
 		for i := 0; i < len(testCase.outcomes); i++ {
-			req := NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/%s/actions/runs/%s/jobs/%d", user2.Name, apiRepo.Name, runIndex, i), map[string]string{
-				"_csrf": GetUserCSRFToken(t, session),
-			})
+			req := NewRequest(t, "POST", fmt.Sprintf("/%s/%s/actions/runs/%s/jobs/%d", user2.Name, apiRepo.Name, runIndex, i))
 			resp := session.MakeRequest(t, req, http.StatusOK)
 			var listResp actions.ViewResponse
 			err := json.Unmarshal(resp.Body.Bytes(), &listResp)
@@ -147,30 +145,20 @@ jobs:
 			MakeRequest(t, req, http.StatusOK)
 		}
 
-		req := NewRequestWithValues(t, "GET", fmt.Sprintf("/%s/%s/actions/runs/%s", user2.Name, apiRepo.Name, runIndex), map[string]string{
-			"_csrf": GetUserCSRFToken(t, session),
-		})
+		req := NewRequest(t, "GET", fmt.Sprintf("/%s/%s/actions/runs/%s", user2.Name, apiRepo.Name, runIndex))
 		session.MakeRequest(t, req, http.StatusOK)
 
-		req = NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/%s/actions/runs/%s/delete", user2.Name, apiRepo.Name, runIndex), map[string]string{
-			"_csrf": GetUserCSRFToken(t, session),
-		})
+		req = NewRequest(t, "POST", fmt.Sprintf("/%s/%s/actions/runs/%s/delete", user2.Name, apiRepo.Name, runIndex))
 		session.MakeRequest(t, req, http.StatusOK)
 
-		req = NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/%s/actions/runs/%s/delete", user2.Name, apiRepo.Name, runIndex), map[string]string{
-			"_csrf": GetUserCSRFToken(t, session),
-		})
+		req = NewRequest(t, "POST", fmt.Sprintf("/%s/%s/actions/runs/%s/delete", user2.Name, apiRepo.Name, runIndex))
 		session.MakeRequest(t, req, http.StatusNotFound)
 
-		req = NewRequestWithValues(t, "GET", fmt.Sprintf("/%s/%s/actions/runs/%s", user2.Name, apiRepo.Name, runIndex), map[string]string{
-			"_csrf": GetUserCSRFToken(t, session),
-		})
+		req = NewRequest(t, "GET", fmt.Sprintf("/%s/%s/actions/runs/%s", user2.Name, apiRepo.Name, runIndex))
 		session.MakeRequest(t, req, http.StatusNotFound)
 
 		for i := 0; i < len(testCase.outcomes); i++ {
-			req := NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/%s/actions/runs/%s/jobs/%d", user2.Name, apiRepo.Name, runIndex, i), map[string]string{
-				"_csrf": GetUserCSRFToken(t, session),
-			})
+			req := NewRequest(t, "POST", fmt.Sprintf("/%s/%s/actions/runs/%s/jobs/%d", user2.Name, apiRepo.Name, runIndex, i))
 			session.MakeRequest(t, req, http.StatusNotFound)
 
 			req = NewRequest(t, "GET", fmt.Sprintf("/%s/%s/actions/runs/%s/jobs/%d/logs", user2.Name, apiRepo.Name, runIndex, i)).
diff --git a/tests/integration/actions_inputs_test.go b/tests/integration/actions_inputs_test.go
index 25ed9f71f8aac..9e29be343291a 100644
--- a/tests/integration/actions_inputs_test.go
+++ b/tests/integration/actions_inputs_test.go
@@ -62,9 +62,8 @@ jobs:
 		// run the workflow with os=windows
 		urlStr := fmt.Sprintf("/%s/%s/actions/run?workflow=%s", user2.Name, repo.Name, "test-inputs-context.yml")
 		req := NewRequestWithValues(t, "POST", urlStr, map[string]string{
-			"_csrf": GetUserCSRFToken(t, session),
-			"ref":   "refs/heads/main",
-			"os":    "windows",
+			"ref": "refs/heads/main",
+			"os":  "windows",
 		})
 		session.MakeRequest(t, req, http.StatusSeeOther)
 
diff --git a/tests/integration/actions_rerun_test.go b/tests/integration/actions_rerun_test.go
index 690d661e6c910..59014c2313aa3 100644
--- a/tests/integration/actions_rerun_test.go
+++ b/tests/integration/actions_rerun_test.go
@@ -33,7 +33,7 @@ func TestActionsRerun(t *testing.T) {
 
 		wfTreePath := ".gitea/workflows/actions-rerun-workflow-1.yml"
 		wfFileContent := `name: actions-rerun-workflow-1
-on: 
+on:
   push:
     paths:
       - '.gitea/workflows/actions-rerun-workflow-1.yml'
@@ -59,9 +59,7 @@ jobs:
 			result: runnerv1.Result_RESULT_SUCCESS,
 		})
 		// RERUN-FAILURE: the run is not done
-		req := NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/%s/actions/runs/%d/rerun", user2.Name, repo.Name, run.Index), map[string]string{
-			"_csrf": GetUserCSRFToken(t, session),
-		})
+		req := NewRequest(t, "POST", fmt.Sprintf("/%s/%s/actions/runs/%d/rerun", user2.Name, repo.Name, run.Index))
 		session.MakeRequest(t, req, http.StatusBadRequest)
 		// fetch and exec job2
 		job2Task := runner.fetchTask(t)
@@ -70,9 +68,7 @@ jobs:
 		})
 
 		// RERUN-1: rerun the run
-		req = NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/%s/actions/runs/%d/rerun", user2.Name, repo.Name, run.Index), map[string]string{
-			"_csrf": GetUserCSRFToken(t, session),
-		})
+		req = NewRequest(t, "POST", fmt.Sprintf("/%s/%s/actions/runs/%d/rerun", user2.Name, repo.Name, run.Index))
 		session.MakeRequest(t, req, http.StatusOK)
 		// fetch and exec job1
 		job1TaskR1 := runner.fetchTask(t)
@@ -86,9 +82,7 @@ jobs:
 		})
 
 		// RERUN-2: rerun job1
-		req = NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/%s/actions/runs/%d/jobs/%d/rerun", user2.Name, repo.Name, run.Index, 0), map[string]string{
-			"_csrf": GetUserCSRFToken(t, session),
-		})
+		req = NewRequest(t, "POST", fmt.Sprintf("/%s/%s/actions/runs/%d/jobs/%d/rerun", user2.Name, repo.Name, run.Index, 0))
 		session.MakeRequest(t, req, http.StatusOK)
 		// job2 needs job1, so rerunning job1 will also rerun job2
 		// fetch and exec job1
@@ -103,9 +97,7 @@ jobs:
 		})
 
 		// RERUN-3: rerun job2
-		req = NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/%s/actions/runs/%d/jobs/%d/rerun", user2.Name, repo.Name, run.Index, 1), map[string]string{
-			"_csrf": GetUserCSRFToken(t, session),
-		})
+		req = NewRequest(t, "POST", fmt.Sprintf("/%s/%s/actions/runs/%d/jobs/%d/rerun", user2.Name, repo.Name, run.Index, 1))
 		session.MakeRequest(t, req, http.StatusOK)
 		// only job2 will rerun
 		// fetch and exec job2
diff --git a/tests/integration/actions_runner_modify_test.go b/tests/integration/actions_runner_modify_test.go
index 7d711bae49c7d..8a65dd625f4c4 100644
--- a/tests/integration/actions_runner_modify_test.go
+++ b/tests/integration/actions_runner_modify_test.go
@@ -50,16 +50,13 @@ func TestActionsRunnerModify(t *testing.T) {
 
 	doUpdate := func(t *testing.T, sess *TestSession, baseURL string, id int64, description string, expectedStatus int) {
 		req := NewRequestWithValues(t, "POST", fmt.Sprintf("%s/%d", baseURL, id), map[string]string{
-			"_csrf":       GetUserCSRFToken(t, sess),
 			"description": description,
 		})
 		sess.MakeRequest(t, req, expectedStatus)
 	}
 
 	doDelete := func(t *testing.T, sess *TestSession, baseURL string, id int64, expectedStatus int) {
-		req := NewRequestWithValues(t, "POST", fmt.Sprintf("%s/%d/delete", baseURL, id), map[string]string{
-			"_csrf": GetUserCSRFToken(t, sess),
-		})
+		req := NewRequest(t, "POST", fmt.Sprintf("%s/%d/delete", baseURL, id))
 		sess.MakeRequest(t, req, expectedStatus)
 	}
 
diff --git a/tests/integration/actions_settings_test.go b/tests/integration/actions_settings_test.go
index 935d8bbceb7f2..c87aaa8f03872 100644
--- a/tests/integration/actions_settings_test.go
+++ b/tests/integration/actions_settings_test.go
@@ -42,7 +42,6 @@ func TestActionsCollaborativeOwner(t *testing.T) {
 
 		// add user10 to the list of collaborative owners
 		req := NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/%s/settings/actions/general/collaborative_owner/add", repo.Owner.UserName, repo.Name), map[string]string{
-			"_csrf":               GetUserCSRFToken(t, user2Session),
 			"collaborative_owner": user10.Name,
 		})
 		user2Session.MakeRequest(t, req, http.StatusOK)
@@ -51,9 +50,7 @@ func TestActionsCollaborativeOwner(t *testing.T) {
 		doGitClone(dstPath, u)(t)
 
 		// remove user10 from the list of collaborative owners
-		req = NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/%s/settings/actions/general/collaborative_owner/delete?id=%d", repo.Owner.UserName, repo.Name, user10.ID), map[string]string{
-			"_csrf": GetUserCSRFToken(t, user2Session),
-		})
+		req = NewRequest(t, "POST", fmt.Sprintf("/%s/%s/settings/actions/general/collaborative_owner/delete?id=%d", repo.Owner.UserName, repo.Name, user10.ID))
 		user2Session.MakeRequest(t, req, http.StatusOK)
 
 		// the git clone will fail
diff --git a/tests/integration/actions_trigger_test.go b/tests/integration/actions_trigger_test.go
index 9dc0ddb9df8a5..fd3f2a029481a 100644
--- a/tests/integration/actions_trigger_test.go
+++ b/tests/integration/actions_trigger_test.go
@@ -1614,7 +1614,7 @@ func TestPullRequestWithPathsRebase(t *testing.T) {
 		testCreateFile(t, session, "user2", repoName, repo.DefaultBranch, "", "dir1/dir1.txt", "1")
 		testCreateFile(t, session, "user2", repoName, repo.DefaultBranch, "", "dir2/dir2.txt", "2")
 		wfFileContent := `name: ci
-on: 
+on:
   pull_request:
     paths:
       - 'dir1/**'
@@ -1639,12 +1639,10 @@ jobs:
 		apiPull, err := doAPICreatePullRequest(apiCtx, "user2", repoName, repo.DefaultBranch, "update-dir2")(t)
 		runner.fetchNoTask(t)
 		assert.NoError(t, err)
-		testEditFile(t, session, "user2", repoName, repo.DefaultBranch, "dir1/dir1.txt", "11") // change the file in "dir1"
-		req := NewRequestWithValues(t, "POST",
-			fmt.Sprintf("/%s/%s/pulls/%d/update?style=rebase", "user2", repoName, apiPull.Index), // update by rebase
-			map[string]string{
-				"_csrf": GetUserCSRFToken(t, session),
-			})
+		// change the file in "dir1"
+		testEditFile(t, session, "user2", repoName, repo.DefaultBranch, "dir1/dir1.txt", "11")
+		// update by rebase
+		req := NewRequest(t, "POST", fmt.Sprintf("/%s/%s/pulls/%d/update?style=rebase", "user2", repoName, apiPull.Index))
 		session.MakeRequest(t, req, http.StatusSeeOther)
 		runner.fetchNoTask(t)
 	})
diff --git a/tests/integration/actions_variables_test.go b/tests/integration/actions_variables_test.go
index c0d0bd371b5dc..b884b32ebf21c 100644
--- a/tests/integration/actions_variables_test.go
+++ b/tests/integration/actions_variables_test.go
@@ -50,17 +50,14 @@ func TestActionsVariables(t *testing.T) {
 
 	doUpdate := func(t *testing.T, sess *TestSession, baseURL string, id int64, data string, expectedStatus int) {
 		req := NewRequestWithValues(t, "POST", fmt.Sprintf("%s/%d/edit", baseURL, id), map[string]string{
-			"_csrf": GetUserCSRFToken(t, sess),
-			"name":  "VAR",
-			"data":  data,
+			"name": "VAR",
+			"data": data,
 		})
 		sess.MakeRequest(t, req, expectedStatus)
 	}
 
 	doDelete := func(t *testing.T, sess *TestSession, baseURL string, id int64, expectedStatus int) {
-		req := NewRequestWithValues(t, "POST", fmt.Sprintf("%s/%d/delete", baseURL, id), map[string]string{
-			"_csrf": GetUserCSRFToken(t, sess),
-		})
+		req := NewRequest(t, "POST", fmt.Sprintf("%s/%d/delete", baseURL, id))
 		sess.MakeRequest(t, req, expectedStatus)
 	}
 
diff --git a/tests/integration/admin_user_test.go b/tests/integration/admin_user_test.go
index 95e03ab75023e..621c5d1a12ea7 100644
--- a/tests/integration/admin_user_test.go
+++ b/tests/integration/admin_user_test.go
@@ -52,9 +52,7 @@ func testSuccessfullEdit(t *testing.T, formData user_model.User) {
 
 func makeRequest(t *testing.T, formData user_model.User, headerCode int) {
 	session := loginUser(t, "user1")
-	csrf := GetUserCSRFToken(t, session)
 	req := NewRequestWithValues(t, "POST", "/-/admin/users/"+strconv.Itoa(int(formData.ID))+"/edit", map[string]string{
-		"_csrf":      csrf,
 		"user_name":  formData.Name,
 		"login_name": formData.LoginName,
 		"login_type": "0-0",
@@ -96,10 +94,7 @@ func TestAdminDeleteUser(t *testing.T) {
 				query = "?purge=true"
 			}
 
-			csrf := GetUserCSRFToken(t, session)
-			req := NewRequestWithValues(t, "POST", fmt.Sprintf("/-/admin/users/%d/delete%s", entry.userID, query), map[string]string{
-				"_csrf": csrf,
-			})
+			req := NewRequest(t, "POST", fmt.Sprintf("/-/admin/users/%d/delete%s", entry.userID, query))
 			session.MakeRequest(t, req, http.StatusSeeOther)
 
 			assertUserDeleted(t, entry.userID)
diff --git a/tests/integration/api_httpsig_test.go b/tests/integration/api_httpsig_test.go
index b9dc508ad0928..284307597ba62 100644
--- a/tests/integration/api_httpsig_test.go
+++ b/tests/integration/api_httpsig_test.go
@@ -95,9 +95,7 @@ func TestHTTPSigCert(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 	session := loginUser(t, "user1")
 
-	csrf := GetUserCSRFToken(t, session)
 	req := NewRequestWithValues(t, "POST", "/user/settings/keys", map[string]string{
-		"_csrf":   csrf,
 		"content": "user1",
 		"title":   "principal",
 		"type":    "principal",
diff --git a/tests/integration/api_packages_container_test.go b/tests/integration/api_packages_container_test.go
index 3c2d8bac33ed5..efa04684afa34 100644
--- a/tests/integration/api_packages_container_test.go
+++ b/tests/integration/api_packages_container_test.go
@@ -826,7 +826,6 @@ func TestPackageContainer(t *testing.T) {
 		newOwnerName := "newUsername"
 
 		req := NewRequestWithValues(t, "POST", "/user/settings", map[string]string{
-			"_csrf":    GetUserCSRFToken(t, session),
 			"name":     newOwnerName,
 			"email":    "user2@example.com",
 			"language": "en-US",
@@ -836,7 +835,6 @@ func TestPackageContainer(t *testing.T) {
 		t.Run(fmt.Sprintf("Catalog[%s]", newOwnerName), checkCatalog(newOwnerName))
 
 		req = NewRequestWithValues(t, "POST", "/user/settings", map[string]string{
-			"_csrf":    GetUserCSRFToken(t, session),
 			"name":     user.Name,
 			"email":    "user2@example.com",
 			"language": "en-US",
diff --git a/tests/integration/api_repo_languages_test.go b/tests/integration/api_repo_languages_test.go
index 6347a43b4e171..2cde3936cf3d1 100644
--- a/tests/integration/api_repo_languages_test.go
+++ b/tests/integration/api_repo_languages_test.go
@@ -28,7 +28,6 @@ func TestRepoLanguages(t *testing.T) {
 
 		// Save new file to master branch
 		req = NewRequestWithValues(t, "POST", "/user2/repo1/_new/master/", map[string]string{
-			"_csrf":         doc.GetCSRF(),
 			"last_commit":   lastCommit,
 			"tree_path":     "test.go",
 			"content":       "package main",
diff --git a/tests/integration/api_repo_license_test.go b/tests/integration/api_repo_license_test.go
index fb4450a2bdef8..46bd992190cd0 100644
--- a/tests/integration/api_repo_license_test.go
+++ b/tests/integration/api_repo_license_test.go
@@ -43,7 +43,6 @@ func TestAPIRepoLicense(t *testing.T) {
 
 		// Save new file to master branch
 		req = NewRequestWithValues(t, "POST", "/user2/repo1/_new/master/", map[string]string{
-			"_csrf":         doc.GetCSRF(),
 			"last_commit":   lastCommit,
 			"tree_path":     "LICENSE",
 			"content":       testLicenseContent,
diff --git a/tests/integration/attachment_test.go b/tests/integration/attachment_test.go
index 18efde72142f9..0459371e3d586 100644
--- a/tests/integration/attachment_test.go
+++ b/tests/integration/attachment_test.go
@@ -33,7 +33,7 @@ func testGeneratePngBytes() []byte {
 	return buff.Bytes()
 }
 
-func testCreateIssueAttachment(t *testing.T, session *TestSession, csrf, repoURL, filename string, content []byte, expectedStatus int) string {
+func testCreateIssueAttachment(t *testing.T, session *TestSession, repoURL, filename string, content []byte, expectedStatus int) string {
 	body := &bytes.Buffer{}
 
 	// Setup multi-part
@@ -46,7 +46,6 @@ func testCreateIssueAttachment(t *testing.T, session *TestSession, csrf, repoURL
 	assert.NoError(t, err)
 
 	req := NewRequestWithBody(t, "POST", repoURL+"/issues/attachments", body)
-	req.Header.Add("X-Csrf-Token", csrf)
 	req.Header.Add("Content-Type", writer.FormDataContentType())
 	resp := session.MakeRequest(t, req, expectedStatus)
 
@@ -79,20 +78,20 @@ func testUploadAttachmentDeleteTemp(t *testing.T) {
 	defer web.RouteMock(route_web.RouterMockPointBeforeWebRoutes, func(resp http.ResponseWriter, req *http.Request) {
 		tmpFileCountDuringUpload = countTmpFile()
 	})()
-	_ = testCreateIssueAttachment(t, session, GetUserCSRFToken(t, session), "user2/repo1", "image.png", testGeneratePngBytes(), http.StatusOK)
+	_ = testCreateIssueAttachment(t, session, "user2/repo1", "image.png", testGeneratePngBytes(), http.StatusOK)
 	assert.Equal(t, 1, tmpFileCountDuringUpload, "the temp file should exist when uploaded size exceeds the parse form's max memory")
 	assert.Equal(t, 0, countTmpFile(), "the temp file should be deleted after upload")
 }
 
 func testCreateAnonymousAttachment(t *testing.T) {
 	session := emptyTestSession(t)
-	testCreateIssueAttachment(t, session, GetAnonymousCSRFToken(t, session), "user2/repo1", "image.png", testGeneratePngBytes(), http.StatusSeeOther)
+	testCreateIssueAttachment(t, session, "user2/repo1", "image.png", testGeneratePngBytes(), http.StatusSeeOther)
 }
 
 func testCreateUser2IssueAttachment(t *testing.T) {
 	const repoURL = "user2/repo1"
 	session := loginUser(t, "user2")
-	uuid := testCreateIssueAttachment(t, session, GetUserCSRFToken(t, session), repoURL, "image.png", testGeneratePngBytes(), http.StatusOK)
+	uuid := testCreateIssueAttachment(t, session, repoURL, "image.png", testGeneratePngBytes(), http.StatusOK)
 
 	req := NewRequest(t, "GET", repoURL+"/issues/new")
 	resp := session.MakeRequest(t, req, http.StatusOK)
@@ -102,7 +101,6 @@ func testCreateUser2IssueAttachment(t *testing.T) {
 	assert.True(t, exists, "The template has changed")
 
 	postData := map[string]string{
-		"_csrf":   htmlDoc.GetCSRF(),
 		"title":   "New Issue With Attachment",
 		"content": "some content",
 		"files":   uuid,
diff --git a/tests/integration/auth_ldap_test.go b/tests/integration/auth_ldap_test.go
index c8b694d81753f..fd740ce8e5857 100644
--- a/tests/integration/auth_ldap_test.go
+++ b/tests/integration/auth_ldap_test.go
@@ -125,7 +125,7 @@ type ldapAuthOptions struct {
 	groupTeamMapRemoval   string
 }
 
-func (te *ldapTestEnv) buildAuthSourcePayload(csrf string, opts ...ldapAuthOptions) map[string]string {
+func (te *ldapTestEnv) buildAuthSourcePayload(opts ...ldapAuthOptions) map[string]string {
 	opt := util.OptionalArg(opts)
 	// Modify user filter to test group filter explicitly
 	userFilter := "(&(objectClass=inetOrgPerson)(memberOf=cn=git,ou=people,dc=planetexpress,dc=com)(uid=%s))"
@@ -134,7 +134,6 @@ func (te *ldapTestEnv) buildAuthSourcePayload(csrf string, opts ...ldapAuthOptio
 	}
 
 	return map[string]string{
-		"_csrf":                    csrf,
 		"type":                     "2",
 		"name":                     "ldap",
 		"host":                     te.serverHost,
@@ -164,8 +163,7 @@ func (te *ldapTestEnv) buildAuthSourcePayload(csrf string, opts ...ldapAuthOptio
 
 func (te *ldapTestEnv) addAuthSource(t *testing.T, opts ...ldapAuthOptions) {
 	session := loginUser(t, "user1")
-	csrf := GetUserCSRFToken(t, session)
-	req := NewRequestWithValues(t, "POST", "/-/admin/auths/new", te.buildAuthSourcePayload(csrf, opts...))
+	req := NewRequestWithValues(t, "POST", "/-/admin/auths/new", te.buildAuthSourcePayload(opts...))
 	session.MakeRequest(t, req, http.StatusSeeOther)
 }
 
@@ -212,13 +210,12 @@ func TestLDAPAuthChange(t *testing.T) {
 	req = NewRequest(t, "GET", href)
 	resp = session.MakeRequest(t, req, http.StatusOK)
 	doc = NewHTMLParser(t, resp.Body)
-	csrf := doc.GetCSRF()
 	host, _ := doc.Find(`input[name="host"]`).Attr("value")
 	assert.Equal(t, te.serverHost, host)
 	binddn, _ := doc.Find(`input[name="bind_dn"]`).Attr("value")
 	assert.Equal(t, "uid=gitea,ou=service,dc=planetexpress,dc=com", binddn)
 
-	req = NewRequestWithValues(t, "POST", href, te.buildAuthSourcePayload(csrf, ldapAuthOptions{groupTeamMapRemoval: "off"}))
+	req = NewRequestWithValues(t, "POST", href, te.buildAuthSourcePayload(ldapAuthOptions{groupTeamMapRemoval: "off"}))
 	session.MakeRequest(t, req, http.StatusSeeOther)
 
 	req = NewRequest(t, "GET", href)
@@ -267,8 +264,7 @@ func TestLDAPUserSyncWithEmptyUsernameAttribute(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 
 	session := loginUser(t, "user1")
-	csrf := GetUserCSRFToken(t, session)
-	payload := te.buildAuthSourcePayload(csrf)
+	payload := te.buildAuthSourcePayload()
 	payload["attribute_username"] = ""
 	req := NewRequestWithValues(t, "POST", "/-/admin/auths/new", payload)
 	session.MakeRequest(t, req, http.StatusSeeOther)
@@ -285,7 +281,6 @@ func TestLDAPUserSyncWithEmptyUsernameAttribute(t *testing.T) {
 
 	for _, u := range te.gitLDAPUsers {
 		req := NewRequestWithValues(t, "POST", "/user/login", map[string]string{
-			"_csrf":     csrf,
 			"user_name": u.UserName,
 			"password":  u.Password,
 		})
@@ -512,8 +507,7 @@ func TestLDAPPreventInvalidGroupTeamMap(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 
 	session := loginUser(t, "user1")
-	csrf := GetUserCSRFToken(t, session)
-	payload := te.buildAuthSourcePayload(csrf, ldapAuthOptions{groupTeamMap: `{"NOT_A_VALID_JSON"["MISSING_DOUBLE_POINT"]}`, groupTeamMapRemoval: "off"})
+	payload := te.buildAuthSourcePayload(ldapAuthOptions{groupTeamMap: `{"NOT_A_VALID_JSON"["MISSING_DOUBLE_POINT"]}`, groupTeamMapRemoval: "off"})
 	req := NewRequestWithValues(t, "POST", "/-/admin/auths/new", payload)
 	session.MakeRequest(t, req, http.StatusOK) // StatusOK = failed, StatusSeeOther = ok
 }
diff --git a/tests/integration/branches_test.go b/tests/integration/branches_test.go
index e148fe2d6f4bc..83d9811baba26 100644
--- a/tests/integration/branches_test.go
+++ b/tests/integration/branches_test.go
@@ -61,9 +61,7 @@ func branchAction(t *testing.T, button string) (*HTMLDoc, string) {
 		t.Skip()
 	}
 
-	req = NewRequestWithValues(t, "POST", link, map[string]string{
-		"_csrf": htmlDoc.GetCSRF(),
-	})
+	req = NewRequest(t, "POST", link)
 	session.MakeRequest(t, req, http.StatusOK)
 
 	url, err := url.Parse(link)
diff --git a/tests/integration/change_default_branch_test.go b/tests/integration/change_default_branch_test.go
index 6b752f6d3e0c2..4a9ba6c4b53f7 100644
--- a/tests/integration/change_default_branch_test.go
+++ b/tests/integration/change_default_branch_test.go
@@ -26,17 +26,13 @@ func TestChangeDefaultBranch(t *testing.T) {
 	session := loginUser(t, owner.Name)
 	branchesURL := fmt.Sprintf("/%s/%s/settings/branches", owner.Name, repo.Name)
 
-	csrf := GetUserCSRFToken(t, session)
 	req := NewRequestWithValues(t, "POST", branchesURL, map[string]string{
-		"_csrf":  csrf,
 		"action": "default_branch",
 		"branch": "DefaultBranch",
 	})
 	session.MakeRequest(t, req, http.StatusSeeOther)
 
-	csrf = GetUserCSRFToken(t, session)
 	req = NewRequestWithValues(t, "POST", branchesURL, map[string]string{
-		"_csrf":  csrf,
 		"action": "default_branch",
 		"branch": "does_not_exist",
 	})
@@ -110,9 +106,7 @@ func TestChangeDefaultBranchDivergence(t *testing.T) {
 
 	// switch default branch
 	newDefaultBranch := "good-sign-not-yet-validated"
-	csrf := GetUserCSRFToken(t, session)
 	req := NewRequestWithValues(t, "POST", settingsBranchesURL, map[string]string{
-		"_csrf":  csrf,
 		"action": "default_branch",
 		"branch": newDefaultBranch,
 	})
diff --git a/tests/integration/create_no_session_test.go b/tests/integration/create_no_session_test.go
index 601f5e1733408..5797c0ff40a1a 100644
--- a/tests/integration/create_no_session_test.go
+++ b/tests/integration/create_no_session_test.go
@@ -97,9 +97,7 @@ func TestSessionFileCreation(t *testing.T) {
 		// We're not logged in so there should be no session
 		assert.False(t, sessionFileExist(t, tmpDir, sessionID))
 
-		doc := NewHTMLParser(t, resp.Body)
 		req = NewRequestWithValues(t, "POST", "/user/login", map[string]string{
-			"_csrf":     doc.GetCSRF(),
 			"user_name": "user2",
 			"password":  userPassword,
 		})
diff --git a/tests/integration/csrf_test.go b/tests/integration/csrf_test.go
deleted file mode 100644
index fcb9661b8a84d..0000000000000
--- a/tests/integration/csrf_test.go
+++ /dev/null
@@ -1,34 +0,0 @@
-// Copyright 2017 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package integration
-
-import (
-	"net/http"
-	"testing"
-
-	"code.gitea.io/gitea/models/unittest"
-	user_model "code.gitea.io/gitea/models/user"
-	"code.gitea.io/gitea/tests"
-
-	"github.com/stretchr/testify/assert"
-)
-
-func TestCsrfProtection(t *testing.T) {
-	defer tests.PrepareTestEnv(t)()
-
-	// test web form csrf via form
-	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
-	session := loginUser(t, user.Name)
-	req := NewRequestWithValues(t, "POST", "/user/settings", map[string]string{
-		"_csrf": "fake_csrf",
-	})
-	resp := session.MakeRequest(t, req, http.StatusBadRequest)
-	assert.Contains(t, resp.Body.String(), "Invalid CSRF token")
-
-	// test web form csrf via header. TODO: should use an UI api to test
-	req = NewRequest(t, "POST", "/user/settings")
-	req.Header.Add("X-Csrf-Token", "fake_csrf")
-	resp = session.MakeRequest(t, req, http.StatusBadRequest)
-	assert.Contains(t, resp.Body.String(), "Invalid CSRF token")
-}
diff --git a/tests/integration/delete_user_test.go b/tests/integration/delete_user_test.go
index 4b02c4725ade9..0c31e928a330d 100644
--- a/tests/integration/delete_user_test.go
+++ b/tests/integration/delete_user_test.go
@@ -32,11 +32,8 @@ func TestUserDeleteAccount(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 
 	session := loginUser(t, "user8")
-	csrf := GetUserCSRFToken(t, session)
 	urlStr := "/user/settings/account/delete?password=" + userPassword
-	req := NewRequestWithValues(t, "POST", urlStr, map[string]string{
-		"_csrf": csrf,
-	})
+	req := NewRequest(t, "POST", urlStr)
 	session.MakeRequest(t, req, http.StatusSeeOther)
 
 	assertUserDeleted(t, 8)
@@ -47,11 +44,8 @@ func TestUserDeleteAccountStillOwnRepos(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 
 	session := loginUser(t, "user2")
-	csrf := GetUserCSRFToken(t, session)
 	urlStr := "/user/settings/account/delete?password=" + userPassword
-	req := NewRequestWithValues(t, "POST", urlStr, map[string]string{
-		"_csrf": csrf,
-	})
+	req := NewRequest(t, "POST", urlStr)
 	session.MakeRequest(t, req, http.StatusSeeOther)
 
 	// user should not have been deleted, because the user still owns repos
diff --git a/tests/integration/editor_test.go b/tests/integration/editor_test.go
index 05c7b272abcd4..d4681f1699df7 100644
--- a/tests/integration/editor_test.go
+++ b/tests/integration/editor_test.go
@@ -87,7 +87,6 @@ func testEditorProtectedBranch(t *testing.T) {
 	session := loginUser(t, "user2")
 	// Change the "master" branch to "protected"
 	req := NewRequestWithValues(t, "POST", "/user2/repo1/settings/branches/edit", map[string]string{
-		"_csrf":       GetUserCSRFToken(t, session),
 		"rule_name":   "master",
 		"enable_push": "true",
 	})
@@ -106,7 +105,6 @@ func testEditorActionPostRequest(t *testing.T, session *TestSession, requestPath
 	resp := session.MakeRequest(t, req, http.StatusOK)
 	htmlDoc := NewHTMLParser(t, resp.Body)
 	form := map[string]string{
-		"_csrf":       htmlDoc.GetCSRF(),
 		"last_commit": htmlDoc.GetInputValueByName("last_commit"),
 	}
 	maps.Copy(form, params)
@@ -150,7 +148,6 @@ func testEditFileToNewBranch(t *testing.T, session *TestSession, user, repo, bra
 func testEditorDiffPreview(t *testing.T) {
 	session := loginUser(t, "user2")
 	req := NewRequestWithValues(t, "POST", "/user2/repo1/_preview/master/README.md", map[string]string{
-		"_csrf":   GetUserCSRFToken(t, session),
 		"content": "Hello, World (Edited)\n",
 	})
 	resp := session.MakeRequest(t, req, http.StatusOK)
@@ -200,7 +197,6 @@ func testEditorWebGitCommitEmail(t *testing.T) {
 
 	makeReq := func(t *testing.T, link string, params map[string]string, expectedUserName, expectedEmail string) *httptest.ResponseRecorder {
 		lastCommit := getLastCommit(t)
-		params["_csrf"] = GetUserCSRFToken(t, session)
 		params["last_commit"] = lastCommit.ID.String()
 		params["commit_choice"] = "direct"
 		req := NewRequestWithValues(t, "POST", link, params)
@@ -225,7 +221,6 @@ func testEditorWebGitCommitEmail(t *testing.T) {
 		uploadForm := multipart.NewWriter(body)
 		file, _ := uploadForm.CreateFormFile("file", name)
 		_, _ = io.Copy(file, strings.NewReader(content))
-		_ = uploadForm.WriteField("_csrf", GetUserCSRFToken(t, session))
 		_ = uploadForm.Close()
 
 		req := NewRequestWithBody(t, "POST", "/user2/repo1/upload-file", body)
@@ -347,7 +342,7 @@ func testForkToEditFile(t *testing.T, session *TestSession, user, owner, repo, b
 		assert.Contains(t, resp.Body.String(), "Fork Repository to Propose Changes")
 
 		// fork the repository
-		req = NewRequestWithValues(t, "POST", path.Join(owner, repo, "_fork", branch), map[string]string{"_csrf": GetUserCSRFToken(t, session)})
+		req = NewRequest(t, "POST", path.Join(owner, repo, "_fork", branch))
 		resp = session.MakeRequest(t, req, http.StatusOK)
 		assert.JSONEq(t, `{"redirect":""}`, resp.Body.String())
 	}
@@ -359,7 +354,6 @@ func testForkToEditFile(t *testing.T, session *TestSession, user, owner, repo, b
 		// Archive the repository
 		req := NewRequestWithValues(t, "POST", path.Join(user, repo, "settings"),
 			map[string]string{
-				"_csrf":     GetUserCSRFToken(t, session),
 				"repo_name": repo,
 				"action":    "archive",
 			},
@@ -374,7 +368,6 @@ func testForkToEditFile(t *testing.T, session *TestSession, user, owner, repo, b
 		// Unfork the repository
 		req = NewRequestWithValues(t, "POST", path.Join(user, repo, "settings"),
 			map[string]string{
-				"_csrf":     GetUserCSRFToken(t, session),
 				"repo_name": repo,
 				"action":    "convert_fork",
 			},
@@ -410,7 +403,6 @@ func testForkToEditFile(t *testing.T, session *TestSession, user, owner, repo, b
 		resp := session.MakeRequest(t, req, http.StatusOK)
 		htmlDoc := NewHTMLParser(t, resp.Body)
 		editRequestForm := map[string]string{
-			"_csrf":         GetUserCSRFToken(t, session),
 			"last_commit":   htmlDoc.GetInputValueByName("last_commit"),
 			"tree_path":     filePath,
 			"content":       "new content in fork",
diff --git a/tests/integration/empty_repo_test.go b/tests/integration/empty_repo_test.go
index 4901488122a63..4991ee95fc583 100644
--- a/tests/integration/empty_repo_test.go
+++ b/tests/integration/empty_repo_test.go
@@ -32,7 +32,6 @@ import (
 func testAPINewFile(t *testing.T, session *TestSession, user, repo, branch, treePath, content string) {
 	url := fmt.Sprintf("/%s/%s/_new/%s", user, repo, branch)
 	req := NewRequestWithValues(t, "POST", url, map[string]string{
-		"_csrf":         GetUserCSRFToken(t, session),
 		"commit_choice": "direct",
 		"tree_path":     treePath,
 		"content":       content,
@@ -86,7 +85,6 @@ func TestEmptyRepoAddFile(t *testing.T) {
 	doc := NewHTMLParser(t, resp.Body).Find(`input[name="commit_choice"]`)
 	assert.Empty(t, doc.AttrOr("checked", "_no_"))
 	req = NewRequestWithValues(t, "POST", "/user30/empty/_new/"+setting.Repository.DefaultBranch, map[string]string{
-		"_csrf":         GetUserCSRFToken(t, session),
 		"commit_choice": "direct",
 		"tree_path":     "test-file.md",
 		"content":       "newly-added-test-file",
@@ -142,7 +140,6 @@ func TestEmptyRepoUploadFile(t *testing.T) {
 
 	body := &bytes.Buffer{}
 	mpForm := multipart.NewWriter(body)
-	_ = mpForm.WriteField("_csrf", GetUserCSRFToken(t, session))
 	file, _ := mpForm.CreateFormFile("file", "uploaded-file.txt")
 	_, _ = io.Copy(file, strings.NewReader("newly-uploaded-test-file"))
 	_ = mpForm.Close()
@@ -154,7 +151,6 @@ func TestEmptyRepoUploadFile(t *testing.T) {
 	assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), &respMap))
 
 	req = NewRequestWithValues(t, "POST", "/user30/empty/_upload/"+setting.Repository.DefaultBranch, map[string]string{
-		"_csrf":         GetUserCSRFToken(t, session),
 		"commit_choice": "direct",
 		"files":         respMap["uuid"],
 		"tree_path":     "",
diff --git a/tests/integration/git_general_test.go b/tests/integration/git_general_test.go
index a726f0349f5cb..58c946172870e 100644
--- a/tests/integration/git_general_test.go
+++ b/tests/integration/git_general_test.go
@@ -507,10 +507,7 @@ type doProtectBranchOptions struct {
 func doProtectBranchExt(ctx APITestContext, ruleName string, opts doProtectBranchOptions) func(t *testing.T) {
 	// We are going to just use the owner to set the protection.
 	return func(t *testing.T) {
-		csrf := GetUserCSRFToken(t, ctx.Session)
-
 		formData := map[string]string{
-			"_csrf":                     csrf,
 			"rule_name":                 ruleName,
 			"unprotected_file_patterns": opts.UnprotectedFilePatterns,
 			"protected_file_patterns":   opts.ProtectedFilePatterns,
@@ -694,11 +691,7 @@ func doPushCreate(ctx APITestContext, u *url.URL) func(t *testing.T) {
 
 func doBranchDelete(ctx APITestContext, owner, repo, branch string) func(*testing.T) {
 	return func(t *testing.T) {
-		csrf := GetUserCSRFToken(t, ctx.Session)
-
-		req := NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/%s/branches/delete?name=%s", url.PathEscape(owner), url.PathEscape(repo), url.QueryEscape(branch)), map[string]string{
-			"_csrf": csrf,
-		})
+		req := NewRequest(t, "POST", fmt.Sprintf("/%s/%s/branches/delete?name=%s", url.PathEscape(owner), url.PathEscape(repo), url.QueryEscape(branch)))
 		ctx.Session.MakeRequest(t, req, http.StatusOK)
 	}
 }
diff --git a/tests/integration/html_helper.go b/tests/integration/html_helper.go
index 4d589b32e7003..b1ae4f40f2fd6 100644
--- a/tests/integration/html_helper.go
+++ b/tests/integration/html_helper.go
@@ -37,11 +37,6 @@ func (doc *HTMLDoc) Find(selector string) *goquery.Selection {
 	return doc.doc.Find(selector)
 }
 
-// GetCSRF for getting CSRF token value from input
-func (doc *HTMLDoc) GetCSRF() string {
-	return doc.GetInputValueByName("_csrf")
-}
-
 // AssertHTMLElement check if the element by selector exists or does not exist depending on checkExists
 func AssertHTMLElement[T int | bool](t testing.TB, doc *HTMLDoc, selector string, checkExists T) {
 	sel := doc.doc.Find(selector)
diff --git a/tests/integration/integration_test.go b/tests/integration/integration_test.go
index 760efb2a657ba..33297d0168d55 100644
--- a/tests/integration/integration_test.go
+++ b/tests/integration/integration_test.go
@@ -225,16 +225,11 @@ func loginUser(t testing.TB, userName string) *TestSession {
 
 func loginUserWithPassword(t testing.TB, userName, password string) *TestSession {
 	t.Helper()
-	req := NewRequest(t, "GET", "/user/login")
-	resp := MakeRequest(t, req, http.StatusOK)
-
-	doc := NewHTMLParser(t, resp.Body)
-	req = NewRequestWithValues(t, "POST", "/user/login", map[string]string{
-		"_csrf":     doc.GetCSRF(),
+	req := NewRequestWithValues(t, "POST", "/user/login", map[string]string{
 		"user_name": userName,
 		"password":  password,
 	})
-	resp = MakeRequest(t, req, http.StatusSeeOther)
+	resp := MakeRequest(t, req, http.StatusSeeOther)
 
 	ch := http.Header{}
 	ch.Add("Cookie", strings.Join(resp.Header()["Set-Cookie"], ";"))
@@ -256,7 +251,6 @@ var tokenCounter int64
 func getTokenForLoggedInUser(t testing.TB, session *TestSession, scopes ...auth.AccessTokenScope) string {
 	t.Helper()
 	urlValues := url.Values{}
-	urlValues.Add("_csrf", GetUserCSRFToken(t, session))
 	urlValues.Add("name", fmt.Sprintf("api-testing-token-%d", atomic.AddInt64(&tokenCounter, 1)))
 	for _, scope := range scopes {
 		urlValues.Add("scope-dummy", string(scope)) // it only needs to start with "scope-" to be accepted
@@ -436,20 +430,3 @@ func VerifyJSONSchema(t testing.TB, resp *httptest.ResponseRecorder, schemaFile
 	assert.Empty(t, result.Errors())
 	assert.True(t, result.Valid())
 }
-
-// GetUserCSRFToken returns CSRF token for current user
-func GetUserCSRFToken(t testing.TB, session *TestSession) string {
-	t.Helper()
-	cookie := session.GetSiteCookie("_csrf")
-	require.NotEmpty(t, cookie)
-	return cookie
-}
-
-// GetUserCSRFToken returns CSRF token for anonymous user (not logged in)
-func GetAnonymousCSRFToken(t testing.TB, session *TestSession) string {
-	t.Helper()
-	resp := session.MakeRequest(t, NewRequest(t, "GET", "/user/login"), http.StatusOK)
-	csrfToken := NewHTMLParser(t, resp.Body).GetCSRF()
-	require.NotEmpty(t, csrfToken)
-	return csrfToken
-}
diff --git a/tests/integration/issue_test.go b/tests/integration/issue_test.go
index 0da08796dcb39..a9101d7b7efe2 100644
--- a/tests/integration/issue_test.go
+++ b/tests/integration/issue_test.go
@@ -130,7 +130,6 @@ func testNewIssue(t *testing.T, session *TestSession, user, repo, title, content
 	link, exists := htmlDoc.doc.Find("form.ui.form").Attr("action")
 	assert.True(t, exists, "The template has changed")
 	req = NewRequestWithValues(t, "POST", link, map[string]string{
-		"_csrf":   htmlDoc.GetCSRF(),
 		"title":   title,
 		"content": content,
 	})
@@ -150,15 +149,12 @@ func testNewIssue(t *testing.T, session *TestSession, user, repo, title, content
 }
 
 func testIssueDelete(t *testing.T, session *TestSession, issueURL string) {
-	req := NewRequestWithValues(t, "POST", path.Join(issueURL, "delete"), map[string]string{
-		"_csrf": GetUserCSRFToken(t, session),
-	})
+	req := NewRequest(t, "POST", path.Join(issueURL, "delete"))
 	session.MakeRequest(t, req, http.StatusSeeOther)
 }
 
 func testIssueAssign(t *testing.T, session *TestSession, repoLink string, issueID, assigneeID int64) {
 	req := NewRequestWithValues(t, "POST", fmt.Sprintf(repoLink+"/issues/assignee?issue_ids=%d", issueID), map[string]string{
-		"_csrf":  GetUserCSRFToken(t, session),
 		"id":     strconv.FormatInt(assigneeID, 10),
 		"action": "", // empty action means assign
 	})
@@ -176,7 +172,6 @@ func testIssueAddComment(t *testing.T, session *TestSession, issueURL, content,
 	commentCount := htmlDoc.doc.Find(".comment-list .comment .render-content").Length()
 
 	req = NewRequestWithValues(t, "POST", link, map[string]string{
-		"_csrf":   htmlDoc.GetCSRF(),
 		"content": content,
 		"status":  status,
 	})
@@ -200,8 +195,7 @@ func testIssueAddComment(t *testing.T, session *TestSession, issueURL, content,
 
 func testIssueChangeMilestone(t *testing.T, session *TestSession, repoLink string, issueID, milestoneID int64) {
 	req := NewRequestWithValues(t, "POST", fmt.Sprintf(repoLink+"/issues/milestone?issue_ids=%d", issueID), map[string]string{
-		"_csrf": GetUserCSRFToken(t, session),
-		"id":    strconv.FormatInt(milestoneID, 10),
+		"id": strconv.FormatInt(milestoneID, 10),
 	})
 	resp := session.MakeRequest(t, req, http.StatusOK)
 	assert.Equal(t, `{"ok":true}`, strings.TrimSpace(resp.Body.String()))
@@ -219,21 +213,18 @@ func TestEditIssue(t *testing.T) {
 	issueURL := testNewIssue(t, session, "user2", "repo1", "Title", "Description")
 
 	req := NewRequestWithValues(t, "POST", issueURL+"/content", map[string]string{
-		"_csrf":   GetUserCSRFToken(t, session),
 		"content": "modified content",
 		"context": fmt.Sprintf("/%s/%s", "user2", "repo1"),
 	})
 	session.MakeRequest(t, req, http.StatusOK)
 
 	req = NewRequestWithValues(t, "POST", issueURL+"/content", map[string]string{
-		"_csrf":   GetUserCSRFToken(t, session),
 		"content": "modified content",
 		"context": fmt.Sprintf("/%s/%s", "user2", "repo1"),
 	})
 	session.MakeRequest(t, req, http.StatusBadRequest)
 
 	req = NewRequestWithValues(t, "POST", issueURL+"/content", map[string]string{
-		"_csrf":           GetUserCSRFToken(t, session),
 		"content":         "modified content",
 		"content_version": "1",
 		"context":         fmt.Sprintf("/%s/%s", "user2", "repo1"),
@@ -267,13 +258,9 @@ func TestIssueCommentDelete(t *testing.T) {
 	assert.Equal(t, comment1, comment.Content)
 
 	// Using the ID of a comment that does not belong to the repository must fail
-	req := NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/%s/comments/%d/delete", "user5", "repo4", commentID), map[string]string{
-		"_csrf": GetUserCSRFToken(t, session),
-	})
+	req := NewRequest(t, "POST", fmt.Sprintf("/%s/%s/comments/%d/delete", "user5", "repo4", commentID))
 	session.MakeRequest(t, req, http.StatusNotFound)
-	req = NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/%s/comments/%d/delete", "user2", "repo1", commentID), map[string]string{
-		"_csrf": GetUserCSRFToken(t, session),
-	})
+	req = NewRequest(t, "POST", fmt.Sprintf("/%s/%s/comments/%d/delete", "user2", "repo1", commentID))
 	session.MakeRequest(t, req, http.StatusOK)
 	unittest.AssertNotExistsBean(t, &issues_model.Comment{ID: commentID})
 }
@@ -292,13 +279,11 @@ func TestIssueCommentUpdate(t *testing.T) {
 
 	// Using the ID of a comment that does not belong to the repository must fail
 	req := NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/%s/comments/%d", "user5", "repo4", commentID), map[string]string{
-		"_csrf":   GetUserCSRFToken(t, session),
 		"content": modifiedContent,
 	})
 	session.MakeRequest(t, req, http.StatusNotFound)
 
 	req = NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/%s/comments/%d", "user2", "repo1", commentID), map[string]string{
-		"_csrf":   GetUserCSRFToken(t, session),
 		"content": modifiedContent,
 	})
 	session.MakeRequest(t, req, http.StatusOK)
@@ -320,7 +305,6 @@ func TestIssueCommentUpdateSimultaneously(t *testing.T) {
 	modifiedContent := comment.Content + "MODIFIED"
 
 	req := NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/%s/comments/%d", "user2", "repo1", commentID), map[string]string{
-		"_csrf":   GetUserCSRFToken(t, session),
 		"content": modifiedContent,
 	})
 	session.MakeRequest(t, req, http.StatusOK)
@@ -328,13 +312,11 @@ func TestIssueCommentUpdateSimultaneously(t *testing.T) {
 	modifiedContent = comment.Content + "2"
 
 	req = NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/%s/comments/%d", "user2", "repo1", commentID), map[string]string{
-		"_csrf":   GetUserCSRFToken(t, session),
 		"content": modifiedContent,
 	})
 	session.MakeRequest(t, req, http.StatusBadRequest)
 
 	req = NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/%s/comments/%d", "user2", "repo1", commentID), map[string]string{
-		"_csrf":           GetUserCSRFToken(t, session),
 		"content":         modifiedContent,
 		"content_version": "1",
 	})
@@ -350,22 +332,15 @@ func TestIssueReaction(t *testing.T) {
 	session := loginUser(t, "user2")
 	issueURL := testNewIssue(t, session, "user2", "repo1", "Title", "Description")
 
-	req := NewRequest(t, "GET", issueURL)
-	resp := session.MakeRequest(t, req, http.StatusOK)
-	htmlDoc := NewHTMLParser(t, resp.Body)
-
-	req = NewRequestWithValues(t, "POST", path.Join(issueURL, "/reactions/react"), map[string]string{
-		"_csrf":   htmlDoc.GetCSRF(),
+	req := NewRequestWithValues(t, "POST", path.Join(issueURL, "/reactions/react"), map[string]string{
 		"content": "8ball",
 	})
 	session.MakeRequest(t, req, http.StatusInternalServerError)
 	req = NewRequestWithValues(t, "POST", path.Join(issueURL, "/reactions/react"), map[string]string{
-		"_csrf":   htmlDoc.GetCSRF(),
 		"content": "eyes",
 	})
 	session.MakeRequest(t, req, http.StatusOK)
 	req = NewRequestWithValues(t, "POST", path.Join(issueURL, "/reactions/unreact"), map[string]string{
-		"_csrf":   htmlDoc.GetCSRF(),
 		"content": "eyes",
 	})
 	session.MakeRequest(t, req, http.StatusOK)
@@ -459,14 +434,8 @@ func testIssueWithBean(t *testing.T, user string, repoID int64, title, content s
 
 func testIssueChangeInfo(t *testing.T, user, issueURL, info, value string) {
 	session := loginUser(t, user)
-
-	req := NewRequest(t, "GET", issueURL)
-	resp := session.MakeRequest(t, req, http.StatusOK)
-	htmlDoc := NewHTMLParser(t, resp.Body)
-
-	req = NewRequestWithValues(t, "POST", path.Join(issueURL, info), map[string]string{
-		"_csrf": htmlDoc.GetCSRF(),
-		info:    value,
+	req := NewRequestWithValues(t, "POST", path.Join(issueURL, info), map[string]string{
+		info: value,
 	})
 	_ = session.MakeRequest(t, req, http.StatusOK)
 }
@@ -700,7 +669,7 @@ func TestUpdateIssueDeadline(t *testing.T) {
 	assert.Equal(t, api.StateOpen, issueBefore.State())
 
 	session := loginUser(t, owner.Name)
-	urlStr := fmt.Sprintf("%s/%s/issues/%d/deadline?_csrf=%s", owner.Name, repoBefore.Name, issueBefore.Index, GetUserCSRFToken(t, session))
+	urlStr := fmt.Sprintf("%s/%s/issues/%d/deadline", owner.Name, repoBefore.Name, issueBefore.Index)
 
 	req := NewRequestWithValues(t, "POST", urlStr, map[string]string{"deadline": "2022-04-06"})
 	session.MakeRequest(t, req, http.StatusOK)
diff --git a/tests/integration/migrate_test.go b/tests/integration/migrate_test.go
index 529d94beb1353..5521c786d9ecc 100644
--- a/tests/integration/migrate_test.go
+++ b/tests/integration/migrate_test.go
@@ -95,7 +95,6 @@ func TestMigrateGiteaForm(t *testing.T) {
 		// Step 4: submit the migration to only migrate issues
 		migratedRepoName := "otherrepo"
 		req = NewRequestWithValues(t, "POST", link, map[string]string{
-			"_csrf":       htmlDoc.GetCSRF(),
 			"service":     fmt.Sprintf("%d", structs.GiteaService),
 			"clone_addr":  fmt.Sprintf("%s%s/%s", u, ownerName, repoName),
 			"auth_token":  token,
diff --git a/tests/integration/mirror_push_test.go b/tests/integration/mirror_push_test.go
index c468228b82f17..8b610db0a230d 100644
--- a/tests/integration/mirror_push_test.go
+++ b/tests/integration/mirror_push_test.go
@@ -79,7 +79,6 @@ func testMirrorPush(t *testing.T, u *url.URL) {
 
 func testCreatePushMirror(t *testing.T, session *TestSession, owner, repo, address, username, password, interval string) {
 	req := NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/%s/settings", url.PathEscape(owner), url.PathEscape(repo)), map[string]string{
-		"_csrf":                GetUserCSRFToken(t, session),
 		"action":               "push-mirror-add",
 		"push_mirror_address":  address,
 		"push_mirror_username": username,
@@ -94,7 +93,6 @@ func testCreatePushMirror(t *testing.T, session *TestSession, owner, repo, addre
 
 func doRemovePushMirror(t *testing.T, session *TestSession, owner, repo string, pushMirrorID int64) bool {
 	req := NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/%s/settings", url.PathEscape(owner), url.PathEscape(repo)), map[string]string{
-		"_csrf":          GetUserCSRFToken(t, session),
 		"action":         "push-mirror-remove",
 		"push_mirror_id": strconv.FormatInt(pushMirrorID, 10),
 	})
@@ -105,7 +103,6 @@ func doRemovePushMirror(t *testing.T, session *TestSession, owner, repo string,
 
 func doUpdatePushMirror(t *testing.T, session *TestSession, owner, repo string, pushMirrorID int64, interval string) bool {
 	req := NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/%s/settings", owner, repo), map[string]string{
-		"_csrf":                  GetUserCSRFToken(t, session),
 		"action":                 "push-mirror-update",
 		"push_mirror_id":         strconv.FormatInt(pushMirrorID, 10),
 		"push_mirror_interval":   interval,
diff --git a/tests/integration/nonascii_branches_test.go b/tests/integration/nonascii_branches_test.go
index cc71acf002d1c..89b03507797e0 100644
--- a/tests/integration/nonascii_branches_test.go
+++ b/tests/integration/nonascii_branches_test.go
@@ -17,9 +17,7 @@ import (
 
 func setDefaultBranch(t *testing.T, session *TestSession, user, repo, branch string) {
 	location := path.Join("/", user, repo, "settings/branches")
-	csrf := GetUserCSRFToken(t, session)
 	req := NewRequestWithValues(t, "POST", location, map[string]string{
-		"_csrf":  csrf,
 		"action": "default_branch",
 		"branch": branch,
 	})
diff --git a/tests/integration/oauth_test.go b/tests/integration/oauth_test.go
index e7edace6536cd..7c3650520e504 100644
--- a/tests/integration/oauth_test.go
+++ b/tests/integration/oauth_test.go
@@ -92,7 +92,6 @@ func TestAuthorizeShow(t *testing.T) {
 
 	htmlDoc := NewHTMLParser(t, resp.Body)
 	AssertHTMLElement(t, htmlDoc, "#authorize-app", true)
-	htmlDoc.GetCSRF()
 }
 
 func TestAuthorizeRedirectWithExistingGrant(t *testing.T) {
diff --git a/tests/integration/org_project_test.go b/tests/integration/org_project_test.go
index c3894fd7afdec..8c55a4375782e 100644
--- a/tests/integration/org_project_test.go
+++ b/tests/integration/org_project_test.go
@@ -34,7 +34,6 @@ func TestOrgProjectAccess(t *testing.T) {
 	// change the org's visibility to private
 	session := loginUser(t, "user2")
 	req = NewRequestWithValues(t, "POST", "/org/org3/settings", map[string]string{
-		"_csrf":      GetUserCSRFToken(t, session),
 		"name":       "org3",
 		"visibility": "2",
 	})
@@ -48,7 +47,6 @@ func TestOrgProjectAccess(t *testing.T) {
 	// disable team1's project unit
 	session = loginUser(t, "user2")
 	req = NewRequestWithValues(t, "POST", "/org/org3/teams/team1/edit", map[string]string{
-		"_csrf":       GetUserCSRFToken(t, session),
 		"team_name":   "team1",
 		"repo_access": "specific",
 		"permission":  "read",
diff --git a/tests/integration/org_team_invite_test.go b/tests/integration/org_team_invite_test.go
index b51b8f43ee6f9..9dafbce2aad40 100644
--- a/tests/integration/org_team_invite_test.go
+++ b/tests/integration/org_team_invite_test.go
@@ -39,9 +39,7 @@ func TestOrgTeamEmailInvite(t *testing.T) {
 	session := loginUser(t, "user1")
 
 	teamURL := fmt.Sprintf("/org/%s/teams/%s", org.Name, team.Name)
-	csrf := GetUserCSRFToken(t, session)
 	req := NewRequestWithValues(t, "POST", teamURL+"/action/add", map[string]string{
-		"_csrf": csrf,
 		"uid":   "1",
 		"uname": user.Email,
 	})
@@ -58,10 +56,7 @@ func TestOrgTeamEmailInvite(t *testing.T) {
 
 	// join the team
 	inviteURL := "/org/invite/" + invites[0].Token
-	csrf = GetUserCSRFToken(t, session)
-	req = NewRequestWithValues(t, "POST", inviteURL, map[string]string{
-		"_csrf": csrf,
-	})
+	req = NewRequest(t, "POST", inviteURL)
 	resp = session.MakeRequest(t, req, http.StatusSeeOther)
 	req = NewRequest(t, "GET", test.RedirectURL(resp))
 	session.MakeRequest(t, req, http.StatusOK)
@@ -93,7 +88,6 @@ func TestOrgTeamEmailInviteRedirectsExistingUser(t *testing.T) {
 
 	teamURL := fmt.Sprintf("/org/%s/teams/%s", org.Name, team.Name)
 	req := NewRequestWithValues(t, "POST", teamURL+"/action/add", map[string]string{
-		"_csrf": GetUserCSRFToken(t, session),
 		"uid":   "1",
 		"uname": user.Email,
 	})
@@ -111,9 +105,7 @@ func TestOrgTeamEmailInviteRedirectsExistingUser(t *testing.T) {
 	req = NewRequest(t, "GET", "/user/login?redirect_to="+url.QueryEscape(inviteURL))
 	resp = MakeRequest(t, req, http.StatusOK)
 
-	doc := NewHTMLParser(t, resp.Body)
 	req = NewRequestWithValues(t, "POST", "/user/login", map[string]string{
-		"_csrf":     doc.GetCSRF(),
 		"user_name": "user5",
 		"password":  "password",
 	})
@@ -135,9 +127,7 @@ func TestOrgTeamEmailInviteRedirectsExistingUser(t *testing.T) {
 	session.jar.SetCookies(baseURL, cr.Cookies())
 
 	// make the request
-	req = NewRequestWithValues(t, "POST", test.RedirectURL(resp), map[string]string{
-		"_csrf": GetUserCSRFToken(t, session),
-	})
+	req = NewRequest(t, "POST", test.RedirectURL(resp))
 	resp = session.MakeRequest(t, req, http.StatusSeeOther)
 	req = NewRequest(t, "GET", test.RedirectURL(resp))
 	session.MakeRequest(t, req, http.StatusOK)
@@ -164,7 +154,6 @@ func TestOrgTeamEmailInviteRedirectsNewUser(t *testing.T) {
 
 	teamURL := fmt.Sprintf("/org/%s/teams/%s", org.Name, team.Name)
 	req := NewRequestWithValues(t, "POST", teamURL+"/action/add", map[string]string{
-		"_csrf": GetUserCSRFToken(t, session),
 		"uid":   "1",
 		"uname": "doesnotexist@example.com",
 	})
@@ -182,9 +171,7 @@ func TestOrgTeamEmailInviteRedirectsNewUser(t *testing.T) {
 	req = NewRequest(t, "GET", "/user/sign_up?redirect_to="+url.QueryEscape(inviteURL))
 	resp = MakeRequest(t, req, http.StatusOK)
 
-	doc := NewHTMLParser(t, resp.Body)
 	req = NewRequestWithValues(t, "POST", "/user/sign_up", map[string]string{
-		"_csrf":     doc.GetCSRF(),
 		"user_name": "doesnotexist",
 		"email":     "doesnotexist@example.com",
 		"password":  "examplePassword!1",
@@ -208,9 +195,7 @@ func TestOrgTeamEmailInviteRedirectsNewUser(t *testing.T) {
 	session.jar.SetCookies(baseURL, cr.Cookies())
 
 	// make the redirected request
-	req = NewRequestWithValues(t, "POST", test.RedirectURL(resp), map[string]string{
-		"_csrf": GetUserCSRFToken(t, session),
-	})
+	req = NewRequest(t, "POST", test.RedirectURL(resp))
 	resp = session.MakeRequest(t, req, http.StatusSeeOther)
 	req = NewRequest(t, "GET", test.RedirectURL(resp))
 	session.MakeRequest(t, req, http.StatusOK)
@@ -243,7 +228,6 @@ func TestOrgTeamEmailInviteRedirectsNewUserWithActivation(t *testing.T) {
 
 	teamURL := fmt.Sprintf("/org/%s/teams/%s", org.Name, team.Name)
 	req := NewRequestWithValues(t, "POST", teamURL+"/action/add", map[string]string{
-		"_csrf": GetUserCSRFToken(t, session),
 		"uid":   "1",
 		"uname": "doesnotexist@example.com",
 	})
@@ -283,9 +267,7 @@ func TestOrgTeamEmailInviteRedirectsNewUserWithActivation(t *testing.T) {
 	// should be redirected to accept the invite
 	assert.Equal(t, inviteURL, test.RedirectURL(resp))
 
-	req = NewRequestWithValues(t, "POST", test.RedirectURL(resp), map[string]string{
-		"_csrf": GetUserCSRFToken(t, session),
-	})
+	req = NewRequest(t, "POST", test.RedirectURL(resp))
 	resp = session.MakeRequest(t, req, http.StatusSeeOther)
 	req = NewRequest(t, "GET", test.RedirectURL(resp))
 	session.MakeRequest(t, req, http.StatusOK)
@@ -319,7 +301,6 @@ func TestOrgTeamEmailInviteRedirectsExistingUserWithLogin(t *testing.T) {
 
 	teamURL := fmt.Sprintf("/org/%s/teams/%s", org.Name, team.Name)
 	req := NewRequestWithValues(t, "POST", teamURL+"/action/add", map[string]string{
-		"_csrf": GetUserCSRFToken(t, session),
 		"uid":   "1",
 		"uname": user.Email,
 	})
@@ -342,9 +323,7 @@ func TestOrgTeamEmailInviteRedirectsExistingUserWithLogin(t *testing.T) {
 	assert.Equal(t, inviteURL, test.RedirectURL(resp))
 
 	// make the request
-	req = NewRequestWithValues(t, "POST", test.RedirectURL(resp), map[string]string{
-		"_csrf": GetUserCSRFToken(t, session),
-	})
+	req = NewRequest(t, "POST", test.RedirectURL(resp))
 	resp = session.MakeRequest(t, req, http.StatusSeeOther)
 	req = NewRequest(t, "GET", test.RedirectURL(resp))
 	session.MakeRequest(t, req, http.StatusOK)
diff --git a/tests/integration/privateactivity_test.go b/tests/integration/privateactivity_test.go
index a1fbadec99ede..7a76d609ea0d9 100644
--- a/tests/integration/privateactivity_test.go
+++ b/tests/integration/privateactivity_test.go
@@ -48,7 +48,6 @@ func testPrivateActivityDoSomethingForActionEntries(t *testing.T) {
 func testPrivateActivityHelperEnablePrivateActivity(t *testing.T) {
 	session := loginUser(t, privateActivityTestUser)
 	req := NewRequestWithValues(t, "POST", "/user/settings", map[string]string{
-		"_csrf":                 GetUserCSRFToken(t, session),
 		"name":                  privateActivityTestUser,
 		"email":                 privateActivityTestUser + "@example.com",
 		"language":              "en-US",
diff --git a/tests/integration/project_test.go b/tests/integration/project_test.go
index 116850fd15a53..66752832642fe 100644
--- a/tests/integration/project_test.go
+++ b/tests/integration/project_test.go
@@ -63,10 +63,9 @@ func TestMoveRepoProjectColumns(t *testing.T) {
 
 	sess := loginUser(t, "user1")
 	req := NewRequest(t, "GET", fmt.Sprintf("/%s/projects/%d", repo2.FullName(), project1.ID))
-	resp := sess.MakeRequest(t, req, http.StatusOK)
-	htmlDoc := NewHTMLParser(t, resp.Body)
+	sess.MakeRequest(t, req, http.StatusOK)
 
-	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/%s/projects/%d/move?_csrf="+htmlDoc.GetCSRF(), repo2.FullName(), project1.ID), map[string]any{
+	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/%s/projects/%d/move", repo2.FullName(), project1.ID), map[string]any{
 		"columns": []map[string]any{
 			{"columnID": columns[1].ID, "sorting": 0},
 			{"columnID": columns[2].ID, "sorting": 1},
diff --git a/tests/integration/pull_comment_test.go b/tests/integration/pull_comment_test.go
index abab65247ba74..cb4c70930b099 100644
--- a/tests/integration/pull_comment_test.go
+++ b/tests/integration/pull_comment_test.go
@@ -89,7 +89,6 @@ func testPullCommentRetarget(t *testing.T, u *url.URL, session *TestSession) {
 
 	// do retarget
 	req := NewRequestWithValues(t, "POST", fmt.Sprintf("/user2/repo1/pull/%d/target_branch", prIssue.PullRequest.Index), map[string]string{
-		"_csrf":         GetUserCSRFToken(t, session),
 		"target_branch": "test-branch/retarget-no-conflict",
 	})
 	session.MakeRequest(t, req, http.StatusOK)
diff --git a/tests/integration/pull_compare_test.go b/tests/integration/pull_compare_test.go
index fc921d62686da..da00b3fd56640 100644
--- a/tests/integration/pull_compare_test.go
+++ b/tests/integration/pull_compare_test.go
@@ -133,7 +133,6 @@ func TestPullCompare_EnableAllowEditsFromMaintainer(t *testing.T) {
 		dataURL, exists := htmlDoc.doc.Find("#allow-edits-from-maintainers").Attr("data-url")
 		assert.True(t, exists)
 		req := NewRequestWithValues(t, "POST", dataURL+"/set_allow_maintainer_edit", map[string]string{
-			"_csrf":                 htmlDoc.GetCSRF(),
 			"allow_maintainer_edit": "true",
 		})
 		user4Session.MakeRequest(t, req, http.StatusOK)
@@ -159,7 +158,6 @@ func TestPullCompare_EnableAllowEditsFromMaintainer(t *testing.T) {
 				lastCommit := htmlDoc.GetInputValueByName("last_commit")
 				assert.NotEmpty(t, lastCommit)
 				req := NewRequestWithValues(t, "POST", editFileLink, map[string]string{
-					"_csrf":          htmlDoc.GetCSRF(),
 					"last_commit":    lastCommit,
 					"tree_path":      "README.md",
 					"content":        "File is edited by the maintainer user2",
diff --git a/tests/integration/pull_create_test.go b/tests/integration/pull_create_test.go
index ff60b70cf9a86..518f452e28fbb 100644
--- a/tests/integration/pull_create_test.go
+++ b/tests/integration/pull_create_test.go
@@ -59,7 +59,6 @@ func testPullCreate(t *testing.T, session *TestSession, user, repo string, toSel
 	link, exists = htmlDoc.doc.Find("form.ui.form").Attr("action")
 	assert.True(t, exists, "The template has changed")
 	req = NewRequestWithValues(t, "POST", link, map[string]string{
-		"_csrf": htmlDoc.GetCSRF(),
 		"title": title,
 	})
 	resp = session.MakeRequest(t, req, http.StatusOK)
@@ -103,7 +102,6 @@ func testPullCreateDirectly(t *testing.T, session *TestSession, opts createPullR
 	link, exists := htmlDoc.doc.Find("form.ui.form").Attr("action")
 	assert.True(t, exists, "The template has changed")
 	params := map[string]string{
-		"_csrf": htmlDoc.GetCSRF(),
 		"title": opts.Title,
 	}
 	if opts.ReviewerIDs != "" {
@@ -131,7 +129,6 @@ func testPullCreateFailure(t *testing.T, session *TestSession, baseRepoOwner, ba
 	link, exists := htmlDoc.doc.Find("form.ui.form").Attr("action")
 	assert.True(t, exists, "The template has changed")
 	req = NewRequestWithValues(t, "POST", link, map[string]string{
-		"_csrf": htmlDoc.GetCSRF(),
 		"title": title,
 	})
 	resp = session.MakeRequest(t, req, http.StatusBadRequest)
@@ -159,7 +156,6 @@ func TestPullCreate(t *testing.T) {
 		// test create the pull request again and it should fail now
 		link := "/user2/repo1/compare/master...user1/repo1:master"
 		req := NewRequestWithValues(t, "POST", link, map[string]string{
-			"_csrf": GetUserCSRFToken(t, session),
 			"title": "This is a pull title",
 		})
 		session.MakeRequest(t, req, http.StatusBadRequest)
@@ -200,7 +196,6 @@ func TestPullCreate_TitleEscape(t *testing.T) {
 		assert.True(t, exists, "The template has changed")
 
 		req = NewRequestWithValues(t, "POST", editTestTitleURL, map[string]string{
-			"_csrf": htmlDoc.GetCSRF(),
 			"title": "<u>XSS PR</u>",
 		})
 		session.MakeRequest(t, req, http.StatusOK)
@@ -219,25 +214,15 @@ func TestPullCreate_TitleEscape(t *testing.T) {
 
 func testUIDeleteBranch(t *testing.T, session *TestSession, ownerName, repoName, branchName string) {
 	relURL := "/" + path.Join(ownerName, repoName, "branches")
-	req := NewRequest(t, "GET", relURL)
-	resp := session.MakeRequest(t, req, http.StatusOK)
-	htmlDoc := NewHTMLParser(t, resp.Body)
-
-	req = NewRequestWithValues(t, "POST", relURL+"/delete", map[string]string{
-		"_csrf": htmlDoc.GetCSRF(),
-		"name":  branchName,
+	req := NewRequestWithValues(t, "POST", relURL+"/delete", map[string]string{
+		"name": branchName,
 	})
 	session.MakeRequest(t, req, http.StatusOK)
 }
 
 func testDeleteRepository(t *testing.T, session *TestSession, ownerName, repoName string) {
 	relURL := "/" + path.Join(ownerName, repoName, "settings")
-	req := NewRequest(t, "GET", relURL)
-	resp := session.MakeRequest(t, req, http.StatusOK)
-	htmlDoc := NewHTMLParser(t, resp.Body)
-
-	req = NewRequestWithValues(t, "POST", relURL+"?action=delete", map[string]string{
-		"_csrf":     htmlDoc.GetCSRF(),
+	req := NewRequestWithValues(t, "POST", relURL+"?action=delete", map[string]string{
 		"repo_name": repoName,
 	})
 	session.MakeRequest(t, req, http.StatusSeeOther)
diff --git a/tests/integration/pull_merge_test.go b/tests/integration/pull_merge_test.go
index e2302fa6ce013..53e68432ccde6 100644
--- a/tests/integration/pull_merge_test.go
+++ b/tests/integration/pull_merge_test.go
@@ -51,38 +51,27 @@ type MergeOptions struct {
 	DeleteBranch bool
 }
 
-func testPullMerge(t *testing.T, session *TestSession, user, repo, pullnum string, mergeOptions MergeOptions) *httptest.ResponseRecorder {
-	req := NewRequest(t, "GET", path.Join(user, repo, "pulls", pullnum))
-	resp := session.MakeRequest(t, req, http.StatusOK)
-
-	htmlDoc := NewHTMLParser(t, resp.Body)
-	link := path.Join(user, repo, "pulls", pullnum, "merge")
-
+func testPullMerge(t *testing.T, session *TestSession, user, repo, pullNum string, mergeOptions MergeOptions) *httptest.ResponseRecorder {
 	options := map[string]string{
-		"_csrf":          htmlDoc.GetCSRF(),
-		"do":             string(mergeOptions.Style),
-		"head_commit_id": mergeOptions.HeadCommitID,
+		"do":                        string(mergeOptions.Style),
+		"head_commit_id":            mergeOptions.HeadCommitID,
+		"delete_branch_after_merge": util.Iif(mergeOptions.DeleteBranch, "on", ""),
 	}
+	var resp *httptest.ResponseRecorder
+	require.Eventually(t, func() bool {
+		req := NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/%s/pulls/%s/merge", user, repo, pullNum), options)
+		resp = session.MakeRequest(t, req, NoExpectedStatus)
+		return resp.Code == http.StatusOK
+	}, 5*time.Second, 50*time.Millisecond, "Timed out waiting for pull merge to succeed")
 
-	if mergeOptions.DeleteBranch {
-		options["delete_branch_after_merge"] = "on"
-	}
+	redirect := test.RedirectURL(resp)
+	assert.Equal(t, fmt.Sprintf("/%s/%s/pulls/%s", user, repo, pullNum), redirect)
 
-	req = NewRequestWithValues(t, "POST", link, options)
-	resp = session.MakeRequest(t, req, http.StatusOK)
-
-	respJSON := struct {
-		Redirect string
-	}{}
-	DecodeJSON(t, resp, &respJSON)
-
-	assert.Equal(t, fmt.Sprintf("/%s/%s/pulls/%s", user, repo, pullnum), respJSON.Redirect)
-
-	pullnumInt, err := strconv.ParseInt(pullnum, 10, 64)
+	pullNumInt, err := strconv.ParseInt(pullNum, 10, 64)
 	assert.NoError(t, err)
 	repository, err := repo_model.GetRepositoryByOwnerAndName(t.Context(), user, repo)
 	assert.NoError(t, err)
-	pull, err := issues_model.GetPullRequestByIndex(t.Context(), repository.ID, pullnumInt)
+	pull, err := issues_model.GetPullRequestByIndex(t.Context(), repository.ID, pullNumInt)
 	assert.NoError(t, err)
 	assert.True(t, pull.HasMerged)
 
@@ -97,9 +86,7 @@ func testPullCleanUp(t *testing.T, session *TestSession, user, repo, pullnum str
 	htmlDoc := NewHTMLParser(t, resp.Body)
 	link, exists := htmlDoc.doc.Find(".timeline-item .delete-branch-after-merge").Attr("data-url")
 	assert.True(t, exists, "The template has changed, can not find delete button url")
-	req = NewRequestWithValues(t, "POST", link, map[string]string{
-		"_csrf": htmlDoc.GetCSRF(),
-	})
+	req = NewRequest(t, "POST", link)
 	resp = session.MakeRequest(t, req, http.StatusOK)
 
 	return resp
@@ -844,11 +831,8 @@ func TestPullAutoMergeAfterCommitStatusSucceed(t *testing.T) {
 			HeadBranch: "master",
 		})
 
-		// add protected branch for commit status
-		csrf := GetUserCSRFToken(t, session)
 		// Change the "master" branch to "protected"
 		req := NewRequestWithValues(t, "POST", "/user2/repo1/settings/branches/edit", map[string]string{
-			"_csrf":                 csrf,
 			"rule_name":             "master",
 			"enable_push":           "true",
 			"enable_status_check":   "true",
@@ -937,11 +921,8 @@ func TestPullAutoMergeAfterCommitStatusSucceedAndApproval(t *testing.T) {
 			HeadBranch: "master",
 		})
 
-		// add protected branch for commit status
-		csrf := GetUserCSRFToken(t, session)
 		// Change master branch to protected
 		req := NewRequestWithValues(t, "POST", "/user2/repo1/settings/branches/edit", map[string]string{
-			"_csrf":                 csrf,
 			"rule_name":             "master",
 			"enable_push":           "true",
 			"enable_status_check":   "true",
@@ -993,10 +974,7 @@ func TestPullAutoMergeAfterCommitStatusSucceedAndApproval(t *testing.T) {
 
 		// approve the PR from non-author
 		approveSession := loginUser(t, "user2")
-		req = NewRequest(t, "GET", fmt.Sprintf("/user2/repo1/pulls/%d", pr.Index))
-		resp := approveSession.MakeRequest(t, req, http.StatusOK)
-		htmlDoc := NewHTMLParser(t, resp.Body)
-		testSubmitReview(t, approveSession, htmlDoc.GetCSRF(), "user2", "repo1", strconv.Itoa(int(pr.Index)), sha, "approve", http.StatusOK)
+		testSubmitReview(t, approveSession, "user2", "repo1", strconv.Itoa(int(pr.Index)), sha, "approve", http.StatusOK)
 
 		time.Sleep(2 * time.Second)
 
@@ -1067,11 +1045,8 @@ func TestPullAutoMergeAfterCommitStatusSucceedAndApprovalForAgitFlow(t *testing.
 		})
 
 		session := loginUser(t, "user1")
-		// add protected branch for commit status
-		csrf := GetUserCSRFToken(t, session)
 		// Change master branch to protected
 		req := NewRequestWithValues(t, "POST", "/user2/repo1/settings/branches/edit", map[string]string{
-			"_csrf":                 csrf,
 			"rule_name":             "master",
 			"enable_push":           "true",
 			"enable_status_check":   "true",
@@ -1122,10 +1097,7 @@ func TestPullAutoMergeAfterCommitStatusSucceedAndApprovalForAgitFlow(t *testing.
 
 		// approve the PR from non-author
 		approveSession := loginUser(t, "user1")
-		req = NewRequest(t, "GET", fmt.Sprintf("/user2/repo1/pulls/%d", pr.Index))
-		resp := approveSession.MakeRequest(t, req, http.StatusOK)
-		htmlDoc := NewHTMLParser(t, resp.Body)
-		testSubmitReview(t, approveSession, htmlDoc.GetCSRF(), "user2", "repo1", strconv.Itoa(int(pr.Index)), sha, "approve", http.StatusOK)
+		testSubmitReview(t, approveSession, "user2", "repo1", strconv.Itoa(int(pr.Index)), sha, "approve", http.StatusOK)
 
 		// reload pr again
 		pr = unittest.AssertExistsAndLoadBean(t, &issues_model.PullRequest{ID: pr.ID})
@@ -1156,11 +1128,8 @@ func TestPullNonMergeForAdminWithBranchProtection(t *testing.T) {
 			HeadBranch: "master",
 		})
 
-		// add protected branch for commit status
-		csrf := GetUserCSRFToken(t, session)
 		// Change master branch to protected
 		pbCreateReq := NewRequestWithValues(t, "POST", "/user2/repo1/settings/branches/edit", map[string]string{
-			"_csrf":                      csrf,
 			"rule_name":                  "master",
 			"enable_push":                "true",
 			"enable_status_check":        "true",
@@ -1172,7 +1141,6 @@ func TestPullNonMergeForAdminWithBranchProtection(t *testing.T) {
 		token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
 
 		mergeReq := NewRequestWithValues(t, "POST", "/api/v1/repos/user2/repo1/pulls/6/merge", map[string]string{
-			"_csrf":                     csrf,
 			"head_commit_id":            "",
 			"merge_when_checks_succeed": "false",
 			"force_merge":               "true",
diff --git a/tests/integration/pull_review_test.go b/tests/integration/pull_review_test.go
index 5b13b7187ff7e..7edbd0b9ce740 100644
--- a/tests/integration/pull_review_test.go
+++ b/tests/integration/pull_review_test.go
@@ -233,16 +233,11 @@ func TestPullView_GivenApproveOrRejectReviewOnClosedPR(t *testing.T) {
 				DeleteBranch: false,
 			})
 
-			// Grab the CSRF token.
-			req := NewRequest(t, "GET", path.Join(elem[1], elem[2], "pulls", elem[4]))
-			resp = user2Session.MakeRequest(t, req, http.StatusOK)
-			htmlDoc := NewHTMLParser(t, resp.Body)
-
 			// Submit an approve review on the PR.
-			testSubmitReview(t, user2Session, htmlDoc.GetCSRF(), "user2", "repo1", elem[4], "", "approve", http.StatusUnprocessableEntity)
+			testSubmitReview(t, user2Session, "user2", "repo1", elem[4], "", "approve", http.StatusUnprocessableEntity)
 
 			// Submit a reject review on the PR.
-			testSubmitReview(t, user2Session, htmlDoc.GetCSRF(), "user2", "repo1", elem[4], "", "reject", http.StatusUnprocessableEntity)
+			testSubmitReview(t, user2Session, "user2", "repo1", elem[4], "", "reject", http.StatusUnprocessableEntity)
 		})
 
 		t.Run("Submit approve/reject review on closed PR", func(t *testing.T) {
@@ -253,23 +248,17 @@ func TestPullView_GivenApproveOrRejectReviewOnClosedPR(t *testing.T) {
 			assert.Equal(t, "pulls", elem[3])
 			testIssueClose(t, user1Session, elem[1], elem[2], elem[4])
 
-			// Grab the CSRF token.
-			req := NewRequest(t, "GET", path.Join(elem[1], elem[2], "pulls", elem[4]))
-			resp = user2Session.MakeRequest(t, req, http.StatusOK)
-			htmlDoc := NewHTMLParser(t, resp.Body)
-
 			// Submit an approve review on the PR.
-			testSubmitReview(t, user2Session, htmlDoc.GetCSRF(), "user2", "repo1", elem[4], "", "approve", http.StatusUnprocessableEntity)
+			testSubmitReview(t, user2Session, "user2", "repo1", elem[4], "", "approve", http.StatusUnprocessableEntity)
 
 			// Submit a reject review on the PR.
-			testSubmitReview(t, user2Session, htmlDoc.GetCSRF(), "user2", "repo1", elem[4], "", "reject", http.StatusUnprocessableEntity)
+			testSubmitReview(t, user2Session, "user2", "repo1", elem[4], "", "reject", http.StatusUnprocessableEntity)
 		})
 	})
 }
 
-func testSubmitReview(t *testing.T, session *TestSession, csrf, owner, repo, pullNumber, commitID, reviewType string, expectedSubmitStatus int) *httptest.ResponseRecorder {
+func testSubmitReview(t *testing.T, session *TestSession, owner, repo, pullNumber, commitID, reviewType string, expectedSubmitStatus int) *httptest.ResponseRecorder {
 	options := map[string]string{
-		"_csrf":     csrf,
 		"commit_id": commitID,
 		"content":   "test",
 		"type":      reviewType,
@@ -281,17 +270,12 @@ func testSubmitReview(t *testing.T, session *TestSession, csrf, owner, repo, pul
 }
 
 func testIssueClose(t *testing.T, session *TestSession, owner, repo, issueNumber string) *httptest.ResponseRecorder {
-	req := NewRequest(t, "GET", path.Join(owner, repo, "pulls", issueNumber))
-	resp := session.MakeRequest(t, req, http.StatusOK)
-
-	htmlDoc := NewHTMLParser(t, resp.Body)
 	closeURL := path.Join(owner, repo, "issues", issueNumber, "comments")
 
 	options := map[string]string{
-		"_csrf":  htmlDoc.GetCSRF(),
 		"status": "close",
 	}
 
-	req = NewRequestWithValues(t, "POST", closeURL, options)
+	req := NewRequestWithValues(t, "POST", closeURL, options)
 	return session.MakeRequest(t, req, http.StatusOK)
 }
diff --git a/tests/integration/pull_status_test.go b/tests/integration/pull_status_test.go
index 49326a594aee6..5c5d631849a4e 100644
--- a/tests/integration/pull_status_test.go
+++ b/tests/integration/pull_status_test.go
@@ -34,7 +34,6 @@ func TestPullCreate_CommitStatus(t *testing.T) {
 		url := path.Join("user1", "repo1", "compare", "master...status1")
 		req := NewRequestWithValues(t, "POST", url,
 			map[string]string{
-				"_csrf": GetUserCSRFToken(t, session),
 				"title": "pull request from status1",
 			},
 		)
@@ -134,7 +133,6 @@ func TestPullCreate_EmptyChangesWithDifferentCommits(t *testing.T) {
 		url := path.Join("user1", "repo1", "compare", "master...status1")
 		req := NewRequestWithValues(t, "POST", url,
 			map[string]string{
-				"_csrf": GetUserCSRFToken(t, session),
 				"title": "pull request from status1",
 			},
 		)
@@ -157,7 +155,6 @@ func TestPullCreate_EmptyChangesWithSameCommits(t *testing.T) {
 		url := path.Join("user1", "repo1", "compare", "master...status1")
 		req := NewRequestWithValues(t, "POST", url,
 			map[string]string{
-				"_csrf": GetUserCSRFToken(t, session),
 				"title": "pull request from status1",
 			},
 		)
diff --git a/tests/integration/release_test.go b/tests/integration/release_test.go
index 88a58787af326..de86a3f348082 100644
--- a/tests/integration/release_test.go
+++ b/tests/integration/release_test.go
@@ -28,7 +28,6 @@ func createNewRelease(t *testing.T, session *TestSession, repoURL, tag, title st
 	assert.True(t, exists, "The template has changed")
 
 	postData := map[string]string{
-		"_csrf":      htmlDoc.GetCSRF(),
 		"tag_name":   tag,
 		"tag_target": "master",
 		"title":      title,
diff --git a/tests/integration/rename_branch_test.go b/tests/integration/rename_branch_test.go
index 492fdf781bca1..00ad6546e3149 100644
--- a/tests/integration/rename_branch_test.go
+++ b/tests/integration/rename_branch_test.go
@@ -27,14 +27,9 @@ func testRenameBranch(t *testing.T, u *url.URL) {
 
 	// get branch setting page
 	session := loginUser(t, "user2")
-	req := NewRequest(t, "GET", "/user2/repo1/branches")
-	resp := session.MakeRequest(t, req, http.StatusOK)
-	htmlDoc := NewHTMLParser(t, resp.Body)
-
-	req = NewRequestWithValues(t, "POST", "/user2/repo1/branches/rename", map[string]string{
-		"_csrf": htmlDoc.GetCSRF(),
-		"from":  "master",
-		"to":    "main",
+	req := NewRequestWithValues(t, "POST", "/user2/repo1/branches/rename", map[string]string{
+		"from": "master",
+		"to":   "main",
 	})
 	session.MakeRequest(t, req, http.StatusSeeOther)
 
@@ -44,7 +39,7 @@ func testRenameBranch(t *testing.T, u *url.URL) {
 
 	// check old branch link
 	req = NewRequestWithValues(t, "GET", "/user2/repo1/src/branch/master/README.md", nil)
-	resp = session.MakeRequest(t, req, http.StatusSeeOther)
+	resp := session.MakeRequest(t, req, http.StatusSeeOther)
 	location := resp.Header().Get("Location")
 	assert.Equal(t, "/user2/repo1/src/branch/main/README.md", location)
 
@@ -53,10 +48,7 @@ func testRenameBranch(t *testing.T, u *url.URL) {
 	assert.Equal(t, "main", repo1.DefaultBranch)
 
 	// create branch1
-	csrf := GetUserCSRFToken(t, session)
-
 	req = NewRequestWithValues(t, "POST", "/user2/repo1/branches/_new/branch/main", map[string]string{
-		"_csrf":           csrf,
 		"new_branch_name": "branch1",
 	})
 	session.MakeRequest(t, req, http.StatusSeeOther)
@@ -66,7 +58,6 @@ func testRenameBranch(t *testing.T, u *url.URL) {
 
 	// create branch2
 	req = NewRequestWithValues(t, "POST", "/user2/repo1/branches/_new/branch/main", map[string]string{
-		"_csrf":           csrf,
 		"new_branch_name": "branch2",
 	})
 	session.MakeRequest(t, req, http.StatusSeeOther)
@@ -76,9 +67,8 @@ func testRenameBranch(t *testing.T, u *url.URL) {
 
 	// rename branch2 to branch1
 	req = NewRequestWithValues(t, "POST", "/user2/repo1/branches/rename", map[string]string{
-		"_csrf": htmlDoc.GetCSRF(),
-		"from":  "branch2",
-		"to":    "branch1",
+		"from": "branch2",
+		"to":   "branch1",
 	})
 	session.MakeRequest(t, req, http.StatusSeeOther)
 	flashMsg := session.GetCookieFlashMessage()
@@ -91,8 +81,7 @@ func testRenameBranch(t *testing.T, u *url.URL) {
 
 	// delete branch1
 	req = NewRequestWithValues(t, "POST", "/user2/repo1/branches/delete", map[string]string{
-		"_csrf": htmlDoc.GetCSRF(),
-		"name":  "branch1",
+		"name": "branch1",
 	})
 	session.MakeRequest(t, req, http.StatusOK)
 	branch2 = unittest.AssertExistsAndLoadBean(t, &git_model.Branch{RepoID: repo1.ID, Name: "branch2"})
@@ -102,9 +91,8 @@ func testRenameBranch(t *testing.T, u *url.URL) {
 
 	// rename branch2 to branch1 again
 	req = NewRequestWithValues(t, "POST", "/user2/repo1/branches/rename", map[string]string{
-		"_csrf": htmlDoc.GetCSRF(),
-		"from":  "branch2",
-		"to":    "branch1",
+		"from": "branch2",
+		"to":   "branch1",
 	})
 	session.MakeRequest(t, req, http.StatusSeeOther)
 
diff --git a/tests/integration/repo_branch_test.go b/tests/integration/repo_branch_test.go
index 666ae44c08347..6cf9990d2eaee 100644
--- a/tests/integration/repo_branch_test.go
+++ b/tests/integration/repo_branch_test.go
@@ -15,16 +15,13 @@ import (
 	"code.gitea.io/gitea/models/unittest"
 	"code.gitea.io/gitea/modules/test"
 	"code.gitea.io/gitea/modules/translation"
-	"code.gitea.io/gitea/tests"
 
 	"github.com/PuerkitoBio/goquery"
 	"github.com/stretchr/testify/assert"
 )
 
 func testCreateBranch(t testing.TB, session *TestSession, user, repo, oldRefSubURL, newBranchName string, expectedStatus int) string {
-	csrf := GetUserCSRFToken(t, session)
 	req := NewRequestWithValues(t, "POST", path.Join(user, repo, "branches/_new", oldRefSubURL), map[string]string{
-		"_csrf":           csrf,
 		"new_branch_name": newBranchName,
 	})
 	resp := session.MakeRequest(t, req, expectedStatus)
@@ -126,17 +123,6 @@ func testCreateBranches(t *testing.T, giteaURL *url.URL) {
 	}
 }
 
-func TestCreateBranchInvalidCSRF(t *testing.T) {
-	defer tests.PrepareTestEnv(t)()
-	session := loginUser(t, "user2")
-	req := NewRequestWithValues(t, "POST", "user2/repo1/branches/_new/branch/master", map[string]string{
-		"_csrf":           "fake_csrf",
-		"new_branch_name": "test",
-	})
-	resp := session.MakeRequest(t, req, http.StatusBadRequest)
-	assert.Contains(t, resp.Body.String(), "Invalid CSRF token")
-}
-
 func prepareRecentlyPushedBranchTest(t *testing.T, headSession *TestSession, baseRepo, headRepo *repo_model.Repository) {
 	refSubURL := "branch/" + headRepo.DefaultBranch
 	baseRepoPath := baseRepo.OwnerName + "/" + baseRepo.Name
diff --git a/tests/integration/repo_fork_test.go b/tests/integration/repo_fork_test.go
index e24f31adf2e62..bf3ef2571e113 100644
--- a/tests/integration/repo_fork_test.go
+++ b/tests/integration/repo_fork_test.go
@@ -46,7 +46,6 @@ func testRepoFork(t *testing.T, session *TestSession, ownerName, repoName, forkO
 	_, exists = htmlDoc.doc.Find(fmt.Sprintf(".owner.dropdown .item[data-value=\"%d\"]", forkOwner.ID)).Attr("data-value")
 	assert.True(t, exists, "Fork owner '%s' is not present in select box", forkOwnerName)
 	req = NewRequestWithValues(t, "POST", link, map[string]string{
-		"_csrf":              htmlDoc.GetCSRF(),
 		"uid":                strconv.FormatInt(forkOwner.ID, 10),
 		"repo_name":          forkRepoName,
 		"fork_single_branch": forkBranch,
diff --git a/tests/integration/repo_generate_test.go b/tests/integration/repo_generate_test.go
index fca4e92982032..be4d5a036b82a 100644
--- a/tests/integration/repo_generate_test.go
+++ b/tests/integration/repo_generate_test.go
@@ -44,7 +44,6 @@ func testRepoGenerate(t *testing.T, session *TestSession, templateID, templateOw
 	_, exists = htmlDoc.doc.Find(fmt.Sprintf(`#repo_owner_dropdown .item[data-value="%d"]`, generateOwner.ID)).Attr("data-value")
 	assert.True(t, exists, "Generate owner '%s' is not present in select box", generateOwnerName)
 	req = NewRequestWithValues(t, "POST", link, map[string]string{
-		"_csrf":         htmlDoc.GetCSRF(),
 		"uid":           strconv.FormatInt(generateOwner.ID, 10),
 		"repo_name":     generateRepoName,
 		"repo_template": templateID,
diff --git a/tests/integration/repo_merge_upstream_test.go b/tests/integration/repo_merge_upstream_test.go
index 17e8083399284..84c87066cb74a 100644
--- a/tests/integration/repo_merge_upstream_test.go
+++ b/tests/integration/repo_merge_upstream_test.go
@@ -49,7 +49,6 @@ func TestRepoMergeUpstream(t *testing.T) {
 
 		// create fork-branch
 		req = NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/test-repo-fork/branches/_new/branch/master", forkUser.Name), map[string]string{
-			"_csrf":           GetUserCSRFToken(t, session),
 			"new_branch_name": "fork-branch",
 		})
 		session.MakeRequest(t, req, http.StatusSeeOther)
@@ -81,7 +80,6 @@ func TestRepoMergeUpstream(t *testing.T) {
 			t.Run("DetectSameBranch", func(t *testing.T) {
 				// if the fork-branch name also exists in the base repo, then use that branch instead
 				req = NewRequestWithValues(t, "POST", "/user2/repo1/branches/_new/branch/master", map[string]string{
-					"_csrf":           GetUserCSRFToken(t, sessionBaseUser),
 					"new_branch_name": "fork-branch",
 				})
 				sessionBaseUser.MakeRequest(t, req, http.StatusSeeOther)
@@ -99,14 +97,12 @@ func TestRepoMergeUpstream(t *testing.T) {
 			})
 
 			// click the "sync fork" button
-			req = NewRequestWithValues(t, "POST", mergeUpstreamLink, map[string]string{"_csrf": GetUserCSRFToken(t, session)})
+			req = NewRequest(t, "POST", mergeUpstreamLink)
 			session.MakeRequest(t, req, http.StatusOK)
 			checkFileContent("fork-branch", "test-content-1")
 
 			// delete the "fork-branch" from the base repo
-			req = NewRequestWithValues(t, "POST", "/user2/repo1/branches/delete?name=fork-branch", map[string]string{
-				"_csrf": GetUserCSRFToken(t, sessionBaseUser),
-			})
+			req = NewRequest(t, "POST", "/user2/repo1/branches/delete?name=fork-branch")
 			sessionBaseUser.MakeRequest(t, req, http.StatusOK)
 		})
 
@@ -151,7 +147,6 @@ func TestRepoMergeUpstream(t *testing.T) {
 		t.Run("FastForwardOnly", func(t *testing.T) {
 			// Create a clean branch for fast-forward testing
 			req = NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/test-repo-fork/branches/_new/branch/master", forkUser.Name), map[string]string{
-				"_csrf":           GetUserCSRFToken(t, session),
 				"new_branch_name": "ff-test-branch",
 			})
 			session.MakeRequest(t, req, http.StatusSeeOther)
diff --git a/tests/integration/repo_migrate_test.go b/tests/integration/repo_migrate_test.go
index 91e2961d6d454..98ad112fcc505 100644
--- a/tests/integration/repo_migrate_test.go
+++ b/tests/integration/repo_migrate_test.go
@@ -27,7 +27,6 @@ func testRepoMigrate(t testing.TB, session *TestSession, cloneAddr, repoName str
 	assert.True(t, exists, "The template has changed")
 
 	req = NewRequestWithValues(t, "POST", link, map[string]string{
-		"_csrf":      htmlDoc.GetCSRF(),
 		"clone_addr": cloneAddr,
 		"uid":        uid,
 		"repo_name":  repoName,
diff --git a/tests/integration/repo_test.go b/tests/integration/repo_test.go
index cd6b0df122206..e88b6b62249da 100644
--- a/tests/integration/repo_test.go
+++ b/tests/integration/repo_test.go
@@ -157,7 +157,6 @@ func testViewRepoPrivate(t *testing.T) {
 
 		// set unit code to "anonymous read"
 		req = NewRequestWithValues(t, "POST", "/org3/repo3/settings/public_access", map[string]string{
-			"_csrf": GetUserCSRFToken(t, session),
 			"repo-unit-access-" + strconv.Itoa(int(unit.TypeCode)): "anonymous-read",
 		})
 		session.MakeRequest(t, req, http.StatusSeeOther)
@@ -168,9 +167,7 @@ func testViewRepoPrivate(t *testing.T) {
 		assert.Contains(t, resp.Body.String(), `<span class="ui basic orange label">Public Access</span>`)
 
 		// remove "anonymous read"
-		req = NewRequestWithValues(t, "POST", "/org3/repo3/settings/public_access", map[string]string{
-			"_csrf": GetUserCSRFToken(t, session),
-		})
+		req = NewRequest(t, "POST", "/org3/repo3/settings/public_access")
 		session.MakeRequest(t, req, http.StatusSeeOther)
 
 		// try to "anonymous read" (not found)
diff --git a/tests/integration/repo_webhook_test.go b/tests/integration/repo_webhook_test.go
index 91539f2429f4c..6d813db589efe 100644
--- a/tests/integration/repo_webhook_test.go
+++ b/tests/integration/repo_webhook_test.go
@@ -83,9 +83,7 @@ func testAPICreateWebhookForRepo(t *testing.T, session *TestSession, userName, r
 }
 
 func testCreateWebhookForRepo(t *testing.T, session *TestSession, webhookType, userName, repoName, url, eventKind string) {
-	csrf := GetUserCSRFToken(t, session)
 	req := NewRequestWithValues(t, "POST", "/"+userName+"/"+repoName+"/settings/hooks/"+webhookType+"/new", map[string]string{
-		"_csrf":        csrf,
 		"payload_url":  url,
 		"events":       eventKind,
 		"active":       "true",
@@ -278,7 +276,6 @@ func Test_WebhookIssueComment(t *testing.T) {
 			commentID := testIssueAddComment(t, session, issueURL, "issue title3 comment1", "")
 			modifiedContent := "issue title2 comment1 - modified"
 			req := NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/%s/comments/%d", "user2", "repo1", commentID), map[string]string{
-				"_csrf":   GetUserCSRFToken(t, session),
 				"content": modifiedContent,
 			})
 			session.MakeRequest(t, req, http.StatusOK)
@@ -306,7 +303,6 @@ func Test_WebhookIssueComment(t *testing.T) {
 			payloads = make([]api.IssueCommentPayload, 0, 2)
 			triggeredEvent = ""
 			req := NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/%s/comments/%d", "user2", "repo1", commentID), map[string]string{
-				"_csrf":   GetUserCSRFToken(t, session),
 				"content": commentContent,
 			})
 			session.MakeRequest(t, req, http.StatusOK)
@@ -1284,9 +1280,7 @@ jobs:
 	// Call cancel ui api
 	// Only a web UI API exists for cancelling workflow runs, so use the UI endpoint.
 	cancelURL := fmt.Sprintf("/user2/repo1/actions/runs/%d/cancel", webhookData.payloads[0].WorkflowRun.RunNumber)
-	req := NewRequestWithValues(t, "POST", cancelURL, map[string]string{
-		"_csrf": GetUserCSRFToken(t, session),
-	})
+	req := NewRequest(t, "POST", cancelURL)
 	session.MakeRequest(t, req, http.StatusOK)
 
 	assert.Len(t, webhookData.payloads, 2)
@@ -1418,9 +1412,7 @@ jobs:
 	// Call cancel ui api
 	// Only a web UI API exists for cancelling workflow runs, so use the UI endpoint.
 	cancelURL := fmt.Sprintf("/user2/repo1/actions/runs/%d/cancel", webhookData.payloads[0].WorkflowRun.RunNumber)
-	req := NewRequestWithValues(t, "POST", cancelURL, map[string]string{
-		"_csrf": GetUserCSRFToken(t, session),
-	})
+	req := NewRequest(t, "POST", cancelURL)
 	session.MakeRequest(t, req, http.StatusOK)
 
 	assert.Len(t, webhookData.payloads, 2)
@@ -1438,9 +1430,7 @@ jobs:
 	// Call rerun ui api
 	// Only a web UI API exists for rerunning workflow runs, so use the UI endpoint.
 	rerunURL := fmt.Sprintf("/user2/repo1/actions/runs/%d/rerun", webhookData.payloads[0].WorkflowRun.RunNumber)
-	req = NewRequestWithValues(t, "POST", rerunURL, map[string]string{
-		"_csrf": GetUserCSRFToken(t, session),
-	})
+	req = NewRequest(t, "POST", rerunURL)
 	session.MakeRequest(t, req, http.StatusOK)
 
 	assert.Len(t, webhookData.payloads, 3)
diff --git a/tests/integration/timetracking_test.go b/tests/integration/timetracking_test.go
index ebe084ccdce08..3dec6db2e843b 100644
--- a/tests/integration/timetracking_test.go
+++ b/tests/integration/timetracking_test.go
@@ -46,9 +46,7 @@ func testViewTimetrackingControls(t *testing.T, session *TestSession, user, repo
 	AssertHTMLElement(t, htmlDoc, ".issue-add-time", canTrackTime)
 
 	issueLink := path.Join(user, repo, "issues", issue)
-	reqStart := NewRequestWithValues(t, "POST", path.Join(issueLink, "times", "stopwatch", "start"), map[string]string{
-		"_csrf": htmlDoc.GetCSRF(),
-	})
+	reqStart := NewRequest(t, "POST", path.Join(issueLink, "times", "stopwatch", "start"))
 	if canTrackTime {
 		session.MakeRequest(t, reqStart, http.StatusOK)
 
@@ -65,9 +63,7 @@ func testViewTimetrackingControls(t *testing.T, session *TestSession, user, repo
 		// Sleep for 1 second to not get wrong order for stopping timer
 		time.Sleep(time.Second)
 
-		reqStop := NewRequestWithValues(t, "POST", path.Join(issueLink, "times", "stopwatch", "stop"), map[string]string{
-			"_csrf": htmlDoc.GetCSRF(),
-		})
+		reqStop := NewRequest(t, "POST", path.Join(issueLink, "times", "stopwatch", "stop"))
 		session.MakeRequest(t, reqStop, http.StatusOK)
 
 		req = NewRequest(t, "GET", issueLink)
diff --git a/tests/integration/user_avatar_test.go b/tests/integration/user_avatar_test.go
index bf28afade0b3e..eeb0b15b93410 100644
--- a/tests/integration/user_avatar_test.go
+++ b/tests/integration/user_avatar_test.go
@@ -35,7 +35,6 @@ func TestUserAvatar(t *testing.T) {
 	}
 
 	session := loginUser(t, "user2")
-	csrf := GetUserCSRFToken(t, session)
 
 	imgData := &bytes.Buffer{}
 
@@ -66,7 +65,6 @@ func TestUserAvatar(t *testing.T) {
 	}
 
 	req := NewRequestWithBody(t, "POST", "/user/settings/avatar", body)
-	req.Header.Add("X-Csrf-Token", csrf)
 	req.Header.Add("Content-Type", writer.FormDataContentType())
 
 	session.MakeRequest(t, req, http.StatusSeeOther)
diff --git a/tests/integration/user_settings_test.go b/tests/integration/user_settings_test.go
index eab1a72ed5b4c..85af48e904dd0 100644
--- a/tests/integration/user_settings_test.go
+++ b/tests/integration/user_settings_test.go
@@ -129,13 +129,7 @@ func TestUserSettingsUpdatePassword(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
 		session := loginUser(t, "user2")
-
-		req := NewRequest(t, "GET", "/user/settings/account")
-		resp := session.MakeRequest(t, req, http.StatusOK)
-		doc := NewHTMLParser(t, resp.Body)
-
-		req = NewRequestWithValues(t, "POST", "/user/settings/account", map[string]string{
-			"_csrf":        doc.GetCSRF(),
+		req := NewRequestWithValues(t, "POST", "/user/settings/account", map[string]string{
 			"old_password": "password",
 			"password":     "password",
 			"retype":       "password",
@@ -147,16 +141,8 @@ func TestUserSettingsUpdatePassword(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
 		WithDisabledFeatures(t, setting.UserFeatureManageCredentials)
-
 		session := loginUser(t, "user2")
-
-		req := NewRequest(t, "GET", "/user/settings/account")
-		resp := session.MakeRequest(t, req, http.StatusOK)
-		doc := NewHTMLParser(t, resp.Body)
-
-		req = NewRequestWithValues(t, "POST", "/user/settings/account", map[string]string{
-			"_csrf": doc.GetCSRF(),
-		})
+		req := NewRequest(t, "POST", "/user/settings/account")
 		session.MakeRequest(t, req, http.StatusNotFound)
 	})
 }
@@ -168,16 +154,8 @@ func TestUserSettingsUpdateEmail(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
 		WithDisabledFeatures(t, setting.UserFeatureManageCredentials)
-
 		session := loginUser(t, "user2")
-
-		req := NewRequest(t, "GET", "/user/settings/account")
-		resp := session.MakeRequest(t, req, http.StatusOK)
-		doc := NewHTMLParser(t, resp.Body)
-
-		req = NewRequestWithValues(t, "POST", "/user/settings/account/email", map[string]string{
-			"_csrf": doc.GetCSRF(),
-		})
+		req := NewRequest(t, "POST", "/user/settings/account/email")
 		session.MakeRequest(t, req, http.StatusNotFound)
 	})
 }
@@ -189,16 +167,8 @@ func TestUserSettingsDeleteEmail(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
 		WithDisabledFeatures(t, setting.UserFeatureManageCredentials)
-
 		session := loginUser(t, "user2")
-
-		req := NewRequest(t, "GET", "/user/settings/account")
-		resp := session.MakeRequest(t, req, http.StatusOK)
-		doc := NewHTMLParser(t, resp.Body)
-
-		req = NewRequestWithValues(t, "POST", "/user/settings/account/email/delete", map[string]string{
-			"_csrf": doc.GetCSRF(),
-		})
+		req := NewRequest(t, "POST", "/user/settings/account/email/delete")
 		session.MakeRequest(t, req, http.StatusNotFound)
 	})
 }
@@ -212,14 +182,7 @@ func TestUserSettingsDelete(t *testing.T) {
 		WithDisabledFeatures(t, setting.UserFeatureDeletion)
 
 		session := loginUser(t, "user2")
-
-		req := NewRequest(t, "GET", "/user/settings/account")
-		resp := session.MakeRequest(t, req, http.StatusOK)
-		doc := NewHTMLParser(t, resp.Body)
-
-		req = NewRequestWithValues(t, "POST", "/user/settings/account/delete", map[string]string{
-			"_csrf": doc.GetCSRF(),
-		})
+		req := NewRequest(t, "POST", "/user/settings/account/delete")
 		session.MakeRequest(t, req, http.StatusNotFound)
 	})
 }
@@ -308,15 +271,10 @@ func TestUserSettingsApplications(t *testing.T) {
 		t.Run("OAuthApplicationsEdit", func(t *testing.T) {
 			defer tests.PrintCurrentTest(t)()
 
-			req := NewRequest(t, "GET", "/user/settings/applications/oauth2/2")
-			resp := session.MakeRequest(t, req, http.StatusOK)
-			doc := NewHTMLParser(t, resp.Body)
-
 			t.Run("Invalid URL", func(t *testing.T) {
 				defer tests.PrintCurrentTest(t)()
 
 				req := NewRequestWithValues(t, "POST", "/user/settings/applications/oauth2/2", map[string]string{
-					"_csrf":               doc.GetCSRF(),
 					"application_name":    "Test native app",
 					"redirect_uris":       "ftp://127.0.0.1",
 					"confidential_client": "false",
@@ -332,7 +290,6 @@ func TestUserSettingsApplications(t *testing.T) {
 				defer tests.PrintCurrentTest(t)()
 
 				req := NewRequestWithValues(t, "POST", "/user/settings/applications/oauth2/2", map[string]string{
-					"_csrf":               doc.GetCSRF(),
 					"application_name":    "Test native app",
 					"redirect_uris":       "http://127.0.0.1",
 					"confidential_client": "false",
diff --git a/tests/integration/user_test.go b/tests/integration/user_test.go
index 54b372dd16428..faaae1103dbe8 100644
--- a/tests/integration/user_test.go
+++ b/tests/integration/user_test.go
@@ -34,7 +34,6 @@ func TestRenameUsername(t *testing.T) {
 
 	session := loginUser(t, "user2")
 	req := NewRequestWithValues(t, "POST", "/user/settings", map[string]string{
-		"_csrf":    GetUserCSRFToken(t, session),
 		"name":     "newUsername",
 		"email":    "user2@example.com",
 		"language": "en-US",
@@ -57,7 +56,6 @@ func TestViewLimitedAndPrivateUserAndRename(t *testing.T) {
 	oldName := org22.Name
 	newName := "org22_renamed"
 	req = NewRequestWithValues(t, "POST", "/org/"+oldName+"/settings/rename", map[string]string{
-		"_csrf":        GetUserCSRFToken(t, session),
 		"org_name":     oldName,
 		"new_org_name": newName,
 	})
@@ -79,7 +77,6 @@ func TestViewLimitedAndPrivateUserAndRename(t *testing.T) {
 	oldName = org23.Name
 	newName = "org23_renamed"
 	req = NewRequestWithValues(t, "POST", "/org/"+oldName+"/settings/rename", map[string]string{
-		"_csrf":        GetUserCSRFToken(t, session),
 		"org_name":     oldName,
 		"new_org_name": newName,
 	})
@@ -102,7 +99,6 @@ func TestViewLimitedAndPrivateUserAndRename(t *testing.T) {
 	newName = "user31_renamed"
 	session2 := loginUser(t, oldName)
 	req = NewRequestWithValues(t, "POST", "/user/settings", map[string]string{
-		"_csrf":      GetUserCSRFToken(t, session2),
 		"name":       newName,
 		"visibility": "2", // private
 	})
@@ -150,7 +146,6 @@ func TestRenameInvalidUsername(t *testing.T) {
 		t.Logf("Testing username %s", invalidUsername)
 
 		req := NewRequestWithValues(t, "POST", "/user/settings", map[string]string{
-			"_csrf": GetUserCSRFToken(t, session),
 			"name":  invalidUsername,
 			"email": "user2@example.com",
 		})
@@ -178,7 +173,6 @@ func TestRenameReservedUsername(t *testing.T) {
 	locale := translation.NewLocale("en-US")
 	for _, reservedUsername := range reservedUsernames {
 		req := NewRequestWithValues(t, "POST", "/user/settings", map[string]string{
-			"_csrf":    GetUserCSRFToken(t, session),
 			"name":     reservedUsername,
 			"email":    "user2@example.com",
 			"language": "en-US",
@@ -334,7 +328,6 @@ func TestUserLocationMapLink(t *testing.T) {
 
 	session := loginUser(t, "user2")
 	req := NewRequestWithValues(t, "POST", "/user/settings", map[string]string{
-		"_csrf":    GetUserCSRFToken(t, session),
 		"name":     "user2",
 		"email":    "user@example.com",
 		"language": "en-US",
diff --git a/tests/integration/xss_test.go b/tests/integration/xss_test.go
index 9058fc210af9f..62d2e27bcd89d 100644
--- a/tests/integration/xss_test.go
+++ b/tests/integration/xss_test.go
@@ -21,7 +21,6 @@ func TestXSSUserFullName(t *testing.T) {
 
 	session := loginUser(t, user.Name)
 	req := NewRequestWithValues(t, "POST", "/user/settings", map[string]string{
-		"_csrf":     GetUserCSRFToken(t, session),
 		"name":      user.Name,
 		"full_name": fullName,
 		"email":     user.Email,
diff --git a/web_src/js/components/PullRequestMergeForm.vue b/web_src/js/components/PullRequestMergeForm.vue
index b2c28414c04c1..e05046dadd37b 100644
--- a/web_src/js/components/PullRequestMergeForm.vue
+++ b/web_src/js/components/PullRequestMergeForm.vue
@@ -3,7 +3,7 @@ import {computed, onMounted, onUnmounted, shallowRef, watch} from 'vue';
 import {SvgIcon} from '../svg.ts';
 import {toggleElem} from '../utils/dom.ts';
 
-const {csrfToken, pageData} = window.config;
+const {pageData} = window.config;
 
 const mergeForm = pageData.pullRequestMergeForm;
 
@@ -95,7 +95,6 @@ function clearMergeMessage() {
 
     <!-- another similar form is in pull.tmpl (manual merge)-->
     <form class="ui form form-fetch-action" v-if="showActionForm" :action="mergeForm.baseLink+'/merge'" method="post">
-      <input type="hidden" name="_csrf" :value="csrfToken">
       <input type="hidden" name="head_commit_id" v-model="mergeForm.pullHeadCommitID">
       <input type="hidden" name="merge_when_checks_succeed" v-model="autoMergeWhenSucceed">
       <input type="hidden" name="force_merge" v-model="forceMerge">
@@ -177,7 +176,6 @@ function clearMergeMessage() {
 
       <!-- the cancel auto merge button -->
       <form v-if="mergeForm.hasPendingPullRequestMerge" :action="mergeForm.baseLink+'/cancel_auto_merge'" method="post" class="tw-ml-4">
-        <input type="hidden" name="_csrf" :value="csrfToken">
         <button class="ui button">
           {{ mergeForm.textAutoMergeCancelSchedule }}
         </button>
diff --git a/web_src/js/components/RepoBranchTagSelector.vue b/web_src/js/components/RepoBranchTagSelector.vue
index cf530f99b98d9..b25bbad913137 100644
--- a/web_src/js/components/RepoBranchTagSelector.vue
+++ b/web_src/js/components/RepoBranchTagSelector.vue
@@ -28,7 +28,6 @@ export default defineComponent({
   data() {
     const shouldShowTabBranches = this.elRoot.getAttribute('data-show-tab-branches') === 'true';
     return {
-      csrfToken: window.config.csrfToken,
       allItems: [] as ListItem[],
       selectedTab: (shouldShowTabBranches ? 'branches' : 'tags') as SelectedTab,
       searchTerm: '',
@@ -272,7 +271,6 @@ export default defineComponent({
             {{ textCreateRefFrom.replace('%s', currentRefShortName) }}
           </div>
           <form ref="createNewRefForm" method="post" :action="createNewRefFormActionUrl">
-            <input type="hidden" name="_csrf" :value="csrfToken">
             <input type="hidden" name="new_branch_name" :value="searchTerm">
             <input type="hidden" name="create_tag" :value="String(selectedTab === 'tags')">
             <input type="hidden" name="current_path" :value="currentTreePath">
diff --git a/web_src/js/features/dropzone.ts b/web_src/js/features/dropzone.ts
index b86ed520f55f7..fedcff2162b54 100644
--- a/web_src/js/features/dropzone.ts
+++ b/web_src/js/features/dropzone.ts
@@ -8,7 +8,7 @@ import {createElementFromHTML, createElementFromAttrs} from '../utils/dom.ts';
 import {isImageFile, isVideoFile} from '../utils.ts';
 import type {DropzoneFile, DropzoneOptions} from 'dropzone/index.js';
 
-const {csrfToken, i18n} = window.config;
+const {i18n} = window.config;
 
 type CustomDropzoneFile = DropzoneFile & {uuid: string};
 
@@ -73,7 +73,6 @@ export async function initDropzone(dropzoneEl: HTMLElement) {
   let fileUuidDict: FileUuidDict = {}; // to record: if a comment has been saved, then the uploaded files won't be deleted from server when clicking the Remove in the dropzone
   const opts: Record<string, any> = {
     url: dropzoneEl.getAttribute('data-upload-url'),
-    headers: {'X-Csrf-Token': csrfToken},
     acceptedFiles: ['*/*', ''].includes(dropzoneEl.getAttribute('data-accepts')!) ? null : dropzoneEl.getAttribute('data-accepts'),
     addRemoveLinks: true,
     dictDefaultMessage: dropzoneEl.getAttribute('data-default-message'),
diff --git a/web_src/js/features/pull-view-file.ts b/web_src/js/features/pull-view-file.ts
index 7cf6eceda47e0..73a04d54a5374 100644
--- a/web_src/js/features/pull-view-file.ts
+++ b/web_src/js/features/pull-view-file.ts
@@ -28,7 +28,7 @@ export function initViewedCheckboxListenerFor() {
     // To prevent double addition of listeners
     form.setAttribute('data-has-viewed-checkbox-listener', String(true));
 
-    // The checkbox consists of a div containing the real checkbox with its label and the CSRF token,
+    // The checkbox consists of a div containing the real checkbox with its label,
     // hence the actual checkbox first has to be found
     const checkbox = form.querySelector<HTMLInputElement>('input[type=checkbox]')!;
     checkbox.addEventListener('input', function() {
diff --git a/web_src/js/features/repo-settings.ts b/web_src/js/features/repo-settings.ts
index ee2f17f4e04d2..da0d135cb133b 100644
--- a/web_src/js/features/repo-settings.ts
+++ b/web_src/js/features/repo-settings.ts
@@ -5,7 +5,7 @@ import {initRepoSettingsBranchesDrag} from './repo-settings-branches.ts';
 import {fomanticQuery} from '../modules/fomantic/base.ts';
 import {globMatch} from '../utils/glob.ts';
 
-const {appSubUrl, csrfToken} = window.config;
+const {appSubUrl} = window.config;
 
 function initRepoSettingsCollaboration() {
   // Change collaborator access mode
@@ -56,7 +56,6 @@ function initRepoSettingsSearchTeamBox() {
     rawResponse: true,
     apiSettings: {
       url: `${appSubUrl}/org/${searchTeamBox.getAttribute('data-org-name')}/teams/-/search?q={query}`,
-      headers: {'X-Csrf-Token': csrfToken},
       onResponse(response: any) {
         const items: Array<Record<string, any>> = [];
         for (const item of response.data) {
diff --git a/web_src/js/modules/fetch.ts b/web_src/js/modules/fetch.ts
index 14e7954116808..16b2b58bae9b9 100644
--- a/web_src/js/modules/fetch.ts
+++ b/web_src/js/modules/fetch.ts
@@ -1,11 +1,6 @@
 import {isObject} from '../utils.ts';
 import type {RequestOpts} from '../types.ts';
 
-const {csrfToken} = window.config;
-
-// safe HTTP methods that don't need a csrf token
-const safeMethods = new Set(['GET', 'HEAD', 'OPTIONS', 'TRACE']);
-
 // fetch wrapper, use below method name functions and the `data` option to pass in data
 // which will automatically set an appropriate headers. For json content, only object
 // and array types are currently supported.
@@ -20,7 +15,6 @@ export function request(url: string, {method = 'GET', data, headers = {}, ...oth
   }
 
   const headersMerged = new Headers({
-    ...(!safeMethods.has(method) && {'x-csrf-token': csrfToken}),
     ...(contentType && {'content-type': contentType}),
   });
 
diff --git a/web_src/js/types.ts b/web_src/js/types.ts
index 2f76a58c9d0b1..6900b18e628b1 100644
--- a/web_src/js/types.ts
+++ b/web_src/js/types.ts
@@ -13,7 +13,6 @@ export type Config = {
   assetUrlPrefix: string,
   runModeIsProd: boolean,
   customEmojis: Record<string, string>,
-  csrfToken: string,
   pageData: Record<string, any>,
   notificationSettings: Record<string, any>,
   enableTimeTracking: boolean,
diff --git a/web_src/js/vitest.setup.ts b/web_src/js/vitest.setup.ts
index 68e300f551b15..10d836ff7973f 100644
--- a/web_src/js/vitest.setup.ts
+++ b/web_src/js/vitest.setup.ts
@@ -7,7 +7,6 @@ window.config = {
   assetUrlPrefix: '',
   runModeIsProd: true,
   customEmojis: {},
-  csrfToken: 'test-csrf-token-123456',
   pageData: {},
   notificationSettings: {},
   enableTimeTracking: true,