diff --git a/core/client/adapters/application.js b/core/client/adapters/application.js
index ff4a09c8c7..b0766882e4 100644
--- a/core/client/adapters/application.js
+++ b/core/client/adapters/application.js
@@ -5,9 +5,6 @@ import ghostPaths from 'ghost/utils/ghost-paths';
 var ApplicationAdapter = DS.RESTAdapter.extend({
     host: window.location.origin,
     namespace: ghostPaths().apiRoot.slice(1),
-    headers: {
-        'X-CSRF-Token': $('meta[name="csrf-param"]').attr('content')
-    },
 
     findQuery: function (store, type, query) {
         var id;
diff --git a/core/client/assets/lib/uploader.js b/core/client/assets/lib/uploader.js
index 9f656ea644..c11acf5e3e 100644
--- a/core/client/assets/lib/uploader.js
+++ b/core/client/assets/lib/uploader.js
@@ -64,9 +64,6 @@ UploadUi = function ($dropzone, settings) {
 
             $dropzone.find('.js-fileupload').fileupload().fileupload('option', {
                 url: Ghost.subdir + '/ghost/upload/',
-                headers: {
-                    'X-CSRF-Token': $('meta[name=\'csrf-param\']').attr('content')
-                },
                 add: function (e, data) {
                     /*jshint unused:false*/
                     $('.js-button-accept').prop('disabled', true);
diff --git a/core/client/controllers/debug.js b/core/client/controllers/debug.js
index 4055ed3cb3..9089808783 100644
--- a/core/client/controllers/debug.js
+++ b/core/client/controllers/debug.js
@@ -16,9 +16,6 @@ var DebugController = Ember.Controller.extend(Ember.Evented, {
 
             ic.ajax.request(this.get('ghostPaths').apiUrl('db'), {
                 type: 'POST',
-                headers: {
-                    'X-CSRF-Token': $('meta[name="csrf-param"]').attr('content')
-                },
                 data: formData,
                 dataType: 'json',
                 cache: false,
@@ -50,10 +47,7 @@ var DebugController = Ember.Controller.extend(Ember.Evented, {
             var self = this;
 
             ic.ajax.request(this.get('ghostPaths').apiUrl('mail', 'test'), {
-                type: 'POST',
-                headers: {
-                    'X-CSRF-Token': $('meta[name="csrf-param"]').attr('content')
-                }
+                type: 'POST'
             }).then(function () {
                 self.notifications.showSuccess('Check your email for the test message:');
             }).catch(function (response) {
diff --git a/core/client/controllers/modals/delete-all.js b/core/client/controllers/modals/delete-all.js
index 6662381a09..3f7089c196 100644
--- a/core/client/controllers/modals/delete-all.js
+++ b/core/client/controllers/modals/delete-all.js
@@ -4,10 +4,7 @@ var DeleteAllController = Ember.Controller.extend({
             var self = this;
 
             ic.ajax.request(this.get('ghostPaths').apiUrl('db'), {
-                type: 'DELETE',
-                headers: {
-                    'X-CSRF-Token': $('meta[name="csrf-param"]').attr('content')
-                }
+                type: 'DELETE'
             }).then(function () {
                 self.notifications.showSuccess('All content deleted from database.');
             }).catch(function (response) {
diff --git a/core/client/controllers/setup.js b/core/client/controllers/setup.js
index 94a3d5d838..ee19053437 100644
--- a/core/client/controllers/setup.js
+++ b/core/client/controllers/setup.js
@@ -23,9 +23,6 @@ var SetupController = Ember.ObjectController.extend(ValidationEngine, {
                 ajax({
                     url: self.get('ghostPaths').adminUrl('setup'),
                     type: 'POST',
-                    headers: {
-                        'X-CSRF-Token': self.get('csrf')
-                    },
                     data: self.getProperties('blogTitle', 'name', 'email', 'password')
                 }).then(function () {
                     self.get('session').authenticate('ember-simple-auth-authenticator:oauth2-password-grant', {
diff --git a/core/client/controllers/signup.js b/core/client/controllers/signup.js
index a84c275443..ada48ecbd1 100644
--- a/core/client/controllers/signup.js
+++ b/core/client/controllers/signup.js
@@ -22,9 +22,6 @@ var SignupController = Ember.ObjectController.extend(ValidationEngine, {
                 ajax({
                     url: self.get('ghostPaths').adminUrl('signup'),
                     type: 'POST',
-                    headers: {
-                        'X-CSRF-Token': self.get('csrf')
-                    },
                     data: self.getProperties('name', 'email', 'password')
                 }).then(function () {
                     self.get('session').authenticate('ember-simple-auth-authenticator:oauth2-password-grant', {
diff --git a/core/client/initializers/csrf-token.js b/core/client/initializers/csrf-token.js
deleted file mode 100644
index ba4a27cb33..0000000000
--- a/core/client/initializers/csrf-token.js
+++ /dev/null
@@ -1,13 +0,0 @@
-var CSRFTokenInitializer = {
-    name: 'csrf-token',
-
-    initialize: function (container, application) {
-        application.register('csrf:token', $('meta[name="csrf-param"]').attr('content'), { instantiate: false });
-
-        application.inject('route', 'csrf', 'csrf:token');
-        application.inject('model', 'csrf', 'csrf:token');
-        application.inject('controller', 'csrf', 'csrf:token');
-    }
-};
-
-export default CSRFTokenInitializer;
diff --git a/core/client/initializers/csrf.js b/core/client/initializers/csrf.js
deleted file mode 100644
index c219238e5a..0000000000
--- a/core/client/initializers/csrf.js
+++ /dev/null
@@ -1,12 +0,0 @@
-var CSRFInitializer = {
-    name: 'csrf',
-
-    initialize: function (container, application) {
-        application.register('csrf:current', $('meta[name="csrf-param"]').attr('content'), { instantiate: false });
-
-        application.inject('route', 'csrf', 'csrf:current');
-        application.inject('controller', 'csrf', 'csrf:current');
-    }
-};
-
-export default CSRFInitializer;