diff --git a/tests/src/FunctionalJavascript/FavoritesTest.php b/tests/src/FunctionalJavascript/FavoritesTest.php
index 5535494f07f2fc9d88225cd2ddb9c63c8160a9d5..9bd70753ce33597f6857da0fade30e3f3296a8ad 100644
--- a/tests/src/FunctionalJavascript/FavoritesTest.php
+++ b/tests/src/FunctionalJavascript/FavoritesTest.php
@@ -112,6 +112,13 @@ class FavoritesTest extends TypeTrayWebDriverTestBase {
     $favorite_link = $assert_session->elementExists('css', '.type-tray-teaser--one .favorite-link');
     $favorite_link->click();
     $this->saveHtmlOutput();
+    // Verify the route is protected against CSRF, so visiting the bare URL
+    // doesn't remove it from favorites.
+    $this->drupalGet('/type-tray/favorites-action/one/remove');
+    $this->drupalGet('/node/add');
+    $assert_session->pageTextContains('Favorites');
+    $assert_session->elementExists('css', '.type-tray-category.category--type-tray__favorites');
+    $assert_session->elementExists('css', '.type-tray-category.category--type-tray__favorites .type-tray-teaser--one');
 
     // Log in as a different user and verify the favorites don't mix up.
     $user2 = $this->createUser([
diff --git a/type_tray.routing.yml b/type_tray.routing.yml
index 32d7f4635f4bff4062f8d1abc0955003a35a2f2c..3448d37240f7dc1a2c33194a597cba5637ed62b2 100644
--- a/type_tray.routing.yml
+++ b/type_tray.routing.yml
@@ -13,3 +13,4 @@ type_tray.favorites:
     _title: 'Type Tray - Process favorites'
   requirements:
     _role: 'authenticated'
+    _csrf_token: 'TRUE'