diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 38ce20f34..d22ec7269 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -4,6 +4,8 @@ class ApplicationController < ActionController::Base
   include HasFilters
   include HasOrders
 
+  protect_from_forgery with: :exception
+
   before_action :authenticate_http_basic, if: :http_basic_auth_site?
 
   before_action :ensure_signup_complete
@@ -15,8 +17,6 @@ class ApplicationController < ActionController::Base
   check_authorization unless: :devise_controller?
   self.responder = ApplicationResponder
 
-  protect_from_forgery with: :exception
-
   rescue_from CanCan::AccessDenied do |exception|
     respond_to do |format|
       format.html { redirect_to main_app.root_url, alert: exception.message }