diff --git a/lib/units/app/index.js b/lib/units/app/index.js
index 392d0551..7cc8ae25 100644
--- a/lib/units/app/index.js
+++ b/lib/units/app/index.js
@@ -82,6 +82,13 @@ module.exports = function(options) {
   , authUrl: options.authUrl
   }))
 
+  // This needs to be before the csrf() middleware or we'll get nasty
+  // errors in the logs. The dummy endpoint is a hack used to enable
+  // autocomplete on some text fields.
+  app.all('/app/api/v1/dummy', function(req, res) {
+    res.send('OK')
+  })
+
   app.use(bodyParser.json())
   app.use(csrf())
   app.use(validator())
@@ -91,10 +98,6 @@ module.exports = function(options) {
     next()
   })
 
-  app.all('/app/api/v1/dummy', function(req, res) {
-    res.send('')
-  })
-
   app.get('/', function(req, res) {
     res.render('index')
   })