diff --git a/app/controllers/application_api_controller.rb b/app/controllers/application_api_controller.rb
index 34ea70050a..d89d997662 100644
--- a/app/controllers/application_api_controller.rb
+++ b/app/controllers/application_api_controller.rb
@@ -15,7 +15,7 @@ class ApplicationApiController < ActionController::API
   before_action :check_config_update_lock!
   before_action :set_csrf_cookie, unless: -> { request_from_basic_auth? }
 
-  protect_from_forgery with: :exception, if: -> { use_csrf_protection? }
+  protect_from_forgery with: :exception, prepend: true, if: -> { use_csrf_protection? }
 
   class << self
     attr_accessor :model_class