diff --git a/lib/OpenQA/Shared/Controller/Auth.pm b/lib/OpenQA/Shared/Controller/Auth.pm
index 910f172ffce..9fe7205bdf6 100644
--- a/lib/OpenQA/Shared/Controller/Auth.pm
+++ b/lib/OpenQA/Shared/Controller/Auth.pm
@@ -49,7 +49,7 @@ sub auth ($self) {
     # Browser with a logged in user
     my ($user, $reason) = (undef, 'Not authorized');
     if ($user = $self->current_user) {
-        ($user, $reason) = (undef, 'Bad CSRF token!') unless $self->valid_csrf;
+        ($user, $reason) = (undef, 'Bad CSRF token!') unless $self->req->method eq 'GET' || $self->valid_csrf;
     }
 
     # No session (probably not a browser)
diff --git a/lib/OpenQA/WebAPI.pm b/lib/OpenQA/WebAPI.pm
index de4ec9fe70f..8b1da0bb915 100644
--- a/lib/OpenQA/WebAPI.pm
+++ b/lib/OpenQA/WebAPI.pm
@@ -53,6 +53,7 @@ sub startup ($self) {
 
     # register basic routes
     my $logged_in = $r->under('/')->to('session#ensure_user');
+    my $auth_any_user = $r->under('/')->to('Auth#auth');
     my $auth = $r->under('/')->to('session#ensure_operator');
 
     # Routes used by plugins (UI and API)
@@ -143,13 +144,14 @@ sub startup ($self) {
     # only provide a URL helper - this is overtaken by apache
     my $config = $app->config;
     my $require_auth_for_assets = $config->{auth}->{require_for_assets};
-    my $assets_r = $require_auth_for_assets ? $logged_in : $r;
+    my $assets_r = $require_auth_for_assets ? $auth_any_user : $r;
     $assets_r->get('/assets/*assetpath')->name('download_asset')->to('file#download_asset');
 
-    my $test_r = $r->any('/tests/<testid:num>');
+    my $test_path = '/tests/<testid:num>';
+    my $test_r = $r->any($test_path);
     $test_r = $test_r->under('/')->to('test#referer_check');
-    my $test_auth = $auth->any('/tests/<testid:num>' => {format => 0});
-    my $test_asset_r = $require_auth_for_assets ? $test_auth : $test_r;
+    my $test_auth = $auth->any($test_path => {format => 0});
+    my $test_asset_r = $require_auth_for_assets ? $auth_any_user->any($test_path) : $test_r;
     $test_r->get('/')->name('test')->to('test#show');
     $test_r->get('/ajax')->name('job_next_previous_ajax')->to('test#job_next_previous_ajax');
     $test_r->get('/modules/:moduleid/fails')->name('test_module_fails')->to('test#module_fails');
diff --git a/t/03-auth.t b/t/03-auth.t
index 3e49beee6d9..13c1f75dcbf 100644
--- a/t/03-auth.t
+++ b/t/03-auth.t
@@ -46,13 +46,11 @@ subtest 'restricted asset downloads with setting `[auth] require_for_assets = 1`
     $t->get_ok('/assets/iso/test.iso')->status_is(200)->content_is('asset-ok', 'can access asset when logged in');
     $t->get_ok('/tests/42/asset/iso/test.iso')->status_is(200);
     $t->content_is('test-asset-ok', 'can access test asset when logged in');
-    $t->get_ok('/logout')->status_is(302)->get_ok('/assets/iso/test.iso')->status_is(302);
-    $t->content_unlike(qr/asset-ok/, 'asset not accessible when logged out');
-    $t->header_is('Location', $expected_redirect, 'redirect to login when accessing asset');
     $t->get_ok('/logout')->status_is(302);
-    $t->get_ok('/tests/42/asset/iso/test.iso')->status_is(302);
-    $t->header_like('Location', qr|/login\?return_page=.*test.iso|, 'redirect to login when accessing test asset');
-    $t->content_unlike(qr/asset-ok/, 'test asset not accessible when logged out');
+    $t->get_ok('/assets/iso/test.iso')->status_is(403, '403 response when logged out');
+    $t->content_unlike(qr/asset-ok/, 'asset not accessible when logged out');
+    $t->get_ok('/tests/42/asset/iso/test.iso')->status_is(403, '403 response via test when logged out');
+    $t->content_unlike(qr/asset-ok/, 'asset via test not accessible when logged out');
 };
 
 subtest OpenID => sub {