diff --git a/src/middleware/header.js b/src/middleware/header.js
index 9ccb085169..052a69ff4a 100644
--- a/src/middleware/header.js
+++ b/src/middleware/header.js
@@ -26,7 +26,11 @@ module.exports = function (middleware) {
 		res.locals.isAPI = false;
 		async.waterfall([
 			function (next) {
-				middleware.applyCSRF(req, res, next);
+				if (!req.isSpider()) {
+					middleware.applyCSRF(req, res, next);
+				} else {
+					setImmediate(next);
+				}
 			},
 			function (next) {
 				async.parallel({
diff --git a/src/middleware/index.js b/src/middleware/index.js
index e1119a35f5..91d5a0e01d 100644
--- a/src/middleware/index.js
+++ b/src/middleware/index.js
@@ -32,15 +32,7 @@ middleware.regexes = {
 	timestampedUpload: /^\d+-.+$/,
 };
 
-const csrfMiddleware = csrf();
-
-middleware.applyCSRF = function (req, res, next) {
-	if (req.uid >= 0) {
-		csrfMiddleware(req, res, next);
-	} else {
-		setImmediate(next);
-	}
-};
+middleware.applyCSRF = csrf();
 
 middleware.ensureLoggedIn = ensureLoggedIn.ensureLoggedIn(nconf.get('relative_path') + '/login');
 
diff --git a/src/routes/api.js b/src/routes/api.js
index 4ff12e4895..d2143f30da 100644
--- a/src/routes/api.js
+++ b/src/routes/api.js
@@ -8,7 +8,13 @@ module.exports = function (app, middleware, controllers) {
 	var router = express.Router();
 	app.use('/api', router);
 
-	router.get('/config', middleware.applyCSRF, controllers.api.getConfig);
+	router.get('/config', function (req, res, next) {
+		if (!req.isSpider()) {
+			middleware.applyCSRF(req, res, next);
+		} else {
+			setImmediate(next);
+		}
+	}, controllers.api.getConfig);
 
 	router.get('/me', middleware.checkGlobalPrivacySettings, controllers.user.getCurrentUser);
 	router.get('/user/uid/:uid', middleware.checkGlobalPrivacySettings, controllers.user.getUserByUID);
diff --git a/test/controllers.js b/test/controllers.js
index 16a2dd5a2b..83a54e50ec 100644
--- a/test/controllers.js
+++ b/test/controllers.js
@@ -60,6 +60,35 @@ describe('Controllers', function () {
 		});
 	});
 
+	it('should load /config with csrf_token', function (done) {
+		request({
+			url: nconf.get('url') + '/api/config',
+			json: true,
+		}, function (err, response, body) {
+			assert.ifError(err);
+			assert.equal(response.statusCode, 200);
+			assert(body.csrf_token);
+			done();
+		});
+	});
+
+	it('should load /config with no csrf_token as spider', function (done) {
+		request({
+			url: nconf.get('url') + '/api/config',
+			json: true,
+			headers: {
+				'user-agent': 'yandex',
+			},
+		}, function (err, response, body) {
+			assert.ifError(err);
+			assert.equal(response.statusCode, 200);
+			assert.strictEqual(body.csrf_token, false);
+			assert.strictEqual(body.uid, -1);
+			assert.strictEqual(body.loggedIn, false);
+			done();
+		});
+	});
+
 	describe('homepage', function () {
 		function hookMethod(hookData) {
 			assert(hookData.req);