diff --git a/CHANGELOG.md b/CHANGELOG.md
index be737b34..77c6ed06 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,9 @@ All notable changes to this project will be documented in this file.
 - Show Healthchecks version in Django admin header (#306)
 - Added JSON endpoint for Shields.io (#304)
 
+### Bug Fixes
+- Don't set CSRF cookie on first visit. Signup is exempt from CSRF protection.
+
 
 ## v1.11.0 - 2019-11-22
 
diff --git a/hc/accounts/views.py b/hc/accounts/views.py
index ebe8dd0c..e7b7b614 100644
--- a/hc/accounts/views.py
+++ b/hc/accounts/views.py
@@ -144,6 +144,7 @@ def logout(request):
 
 
 @require_POST
+@csrf_exempt
 def signup(request):
     if not settings.REGISTRATION_OPEN:
         return HttpResponseForbidden()
diff --git a/static/js/signup.js b/static/js/signup.js
index 80078dfa..a674694f 100644
--- a/static/js/signup.js
+++ b/static/js/signup.js
@@ -3,13 +3,11 @@ $(function () {
     function submitForm() {
         var base = document.getElementById("base-url").getAttribute("href").slice(0, -1);
         var email = $("#signup-email").val();
-        var token = $('input[name=csrfmiddlewaretoken]').val();
 
         $("#signup-go").prop("disabled", true);
         $.ajax({
             url: base + "/accounts/signup/",
             type: "post",
-            headers: {"X-CSRFToken": token},
             data: {"identity": email},
             success: function(data) {
                 $("#signup-result").html(data).show();
diff --git a/templates/front/signup_modal.html b/templates/front/signup_modal.html
index 65740798..c20b692d 100644
--- a/templates/front/signup_modal.html
+++ b/templates/front/signup_modal.html
@@ -20,8 +20,6 @@
                     We will email you a magic sign in link.
                 </p>
 
-
-                {% csrf_token %}
                 <button id="signup-go" class="btn btn-lg btn-primary btn-block">
                     Email Me a Link
                 </button>