diff --git a/hc/api/tests/test_badge.py b/hc/api/tests/test_badge.py
index a34daba2..cd2488e2 100644
--- a/hc/api/tests/test_badge.py
+++ b/hc/api/tests/test_badge.py
@@ -28,6 +28,7 @@ class BadgeTestCase(BaseTestCase):
     def test_it_returns_svg(self):
         r = self.client.get(self.svg_url)
         self.assertEqual(r["Access-Control-Allow-Origin"], "*")
+        self.assertIn("no-cache", r["Cache-Control"])
         self.assertContains(r, "#4c1")
 
     def test_it_rejects_bad_format(self):
diff --git a/hc/api/tests/test_create_check.py b/hc/api/tests/test_create_check.py
index 2326c51a..0d84f7aa 100644
--- a/hc/api/tests/test_create_check.py
+++ b/hc/api/tests/test_create_check.py
@@ -12,7 +12,7 @@ class CreateCheckTestCase(BaseTestCase):
         if "api_key" not in data:
             data["api_key"] = "X" * 32
 
-        r = self.client.post(self.URL, data, content_type="application/json")
+        r = self.csrf_client.post(self.URL, data, content_type="application/json")
         if expect_fragment:
             self.assertEqual(r.status_code, 400)
             self.assertIn(expect_fragment, r.json()["error"])
diff --git a/hc/api/tests/test_get_check.py b/hc/api/tests/test_get_check.py
index dd2b78b5..3a60973f 100644
--- a/hc/api/tests/test_get_check.py
+++ b/hc/api/tests/test_get_check.py
@@ -74,6 +74,10 @@ class GetCheckTestCase(BaseTestCase):
         self.assertEqual(doc["channels"], str(self.c1.code))
         self.assertEqual(doc["desc"], "This is description")
 
+    def test_it_rejects_post_unique_key(self):
+        r = self.csrf_client.post(f"/api/v1/checks/{self.a1.unique_key}")
+        self.assertEqual(r.status_code, 405)
+
     def test_readonly_key_works(self):
         self.project.api_key_readonly = "R" * 32
         self.project.save()
diff --git a/hc/api/tests/test_get_pings.py b/hc/api/tests/test_get_pings.py
index 8b156a6d..5cf6040c 100644
--- a/hc/api/tests/test_get_pings.py
+++ b/hc/api/tests/test_get_pings.py
@@ -20,7 +20,7 @@ class GetPingsTestCase(BaseTestCase):
         self.url = "/api/v1/checks/%s/pings/" % self.a1.code
 
     def get(self, api_key="X" * 32):
-        return self.client.get(self.url, HTTP_X_API_KEY=api_key)
+        return self.csrf_client.get(self.url, HTTP_X_API_KEY=api_key)
 
     def test_it_works(self):
         self.a1.ping(
diff --git a/hc/api/tests/test_notification_status.py b/hc/api/tests/test_notification_status.py
index bdab0d99..1c9284a1 100644
--- a/hc/api/tests/test_notification_status.py
+++ b/hc/api/tests/test_notification_status.py
@@ -22,7 +22,7 @@ class NotificationStatusTestCase(BaseTestCase):
         self.url = "/api/v1/notifications/%s/status" % self.n.code
 
     def test_it_handles_twilio_failed_status(self):
-        r = self.client.post(self.url, {"MessageStatus": "failed"})
+        r = self.csrf_client.post(self.url, {"MessageStatus": "failed"})
         self.assertEqual(r.status_code, 200)
 
         self.n.refresh_from_db()
@@ -33,7 +33,7 @@ class NotificationStatusTestCase(BaseTestCase):
         self.assertTrue(self.channel.email_verified)
 
     def test_it_handles_twilio_undelivered_status(self):
-        r = self.client.post(self.url, {"MessageStatus": "undelivered"})
+        r = self.csrf_client.post(self.url, {"MessageStatus": "undelivered"})
         self.assertEqual(r.status_code, 200)
 
         self.n.refresh_from_db()
@@ -43,7 +43,7 @@ class NotificationStatusTestCase(BaseTestCase):
         self.assertIn("status=undelivered", self.channel.last_error)
 
     def test_it_handles_twilio_delivered_status(self):
-        r = self.client.post(self.url, {"MessageStatus": "delivered"})
+        r = self.csrf_client.post(self.url, {"MessageStatus": "delivered"})
         self.assertEqual(r.status_code, 200)
 
         self.n.refresh_from_db()
@@ -56,7 +56,7 @@ class NotificationStatusTestCase(BaseTestCase):
         self.n.created = self.n.created - timedelta(minutes=61)
         self.n.save()
 
-        r = self.client.post(self.url, {"MessageStatus": "failed"})
+        r = self.csrf_client.post(self.url, {"MessageStatus": "failed"})
         self.assertEqual(r.status_code, 200)
 
         # The notification should not have the error field set:
@@ -66,15 +66,15 @@ class NotificationStatusTestCase(BaseTestCase):
     def test_it_handles_missing_notification(self):
         fake_code = "07c2f548-9850-4b27-af5d-6c9dc157ec02"
         url = f"/api/v1/notifications/{fake_code}/status"
-        r = self.client.post(url, {"MessageStatus": "failed"})
+        r = self.csrf_client.post(url, {"MessageStatus": "failed"})
         self.assertEqual(r.status_code, 200)
 
     def test_it_requires_post(self):
-        r = self.client.get(self.url)
+        r = self.csrf_client.get(self.url)
         self.assertEqual(r.status_code, 405)
 
     def test_it_handles_error_key(self):
-        r = self.client.post(self.url, {"error": "Something went wrong."})
+        r = self.csrf_client.post(self.url, {"error": "Something went wrong."})
         self.assertEqual(r.status_code, 200)
 
         self.n.refresh_from_db()
@@ -87,7 +87,7 @@ class NotificationStatusTestCase(BaseTestCase):
     def test_it_handles_mark_not_verified_key(self):
         payload = {"error": "Received complaint.", "mark_not_verified": "1"}
 
-        r = self.client.post(self.url, payload)
+        r = self.csrf_client.post(self.url, payload)
         self.assertEqual(r.status_code, 200)
 
         self.channel.refresh_from_db()
@@ -95,7 +95,7 @@ class NotificationStatusTestCase(BaseTestCase):
         self.assertFalse(self.channel.email_verified)
 
     def test_it_handles_twilio_call_status_failed(self):
-        r = self.client.post(self.url, {"CallStatus": "failed"})
+        r = self.csrf_client.post(self.url, {"CallStatus": "failed"})
         self.assertEqual(r.status_code, 200)
 
         self.n.refresh_from_db()
diff --git a/hc/api/tests/test_pause.py b/hc/api/tests/test_pause.py
index 4f7e8f58..85e980e8 100644
--- a/hc/api/tests/test_pause.py
+++ b/hc/api/tests/test_pause.py
@@ -1,4 +1,5 @@
 from datetime import timedelta as td
+import json
 
 from django.utils.timezone import now
 from hc.api.models import Check
@@ -13,7 +14,7 @@ class PauseTestCase(BaseTestCase):
         self.url = f"/api/v1/checks/{self.check.code}/pause"
 
     def test_it_works(self):
-        r = self.client.post(
+        r = self.csrf_client.post(
             self.url, "", content_type="application/json", HTTP_X_API_KEY="X" * 32
         )
 
@@ -23,6 +24,14 @@ class PauseTestCase(BaseTestCase):
         self.check.refresh_from_db()
         self.assertEqual(self.check.status, "paused")
 
+    def test_it_accepts_api_key_in_post_body(self):
+        payload = json.dumps({"api_key": "X" * 32})
+        r = self.csrf_client.post(self.url, payload, content_type="application/json")
+        self.assertEqual(r.status_code, 200)
+
+        self.check.refresh_from_db()
+        self.assertEqual(self.check.status, "paused")
+
     def test_it_handles_options(self):
         r = self.client.options(self.url)
         self.assertEqual(r.status_code, 204)
diff --git a/hc/api/tests/test_update_check.py b/hc/api/tests/test_update_check.py
index a42f4c5d..d5ff4939 100644
--- a/hc/api/tests/test_update_check.py
+++ b/hc/api/tests/test_update_check.py
@@ -13,7 +13,7 @@ class UpdateCheckTestCase(BaseTestCase):
 
     def post(self, code, data):
         url = "/api/v1/checks/%s" % code
-        return self.client.post(url, data, content_type="application/json")
+        return self.csrf_client.post(url, data, content_type="application/json")
 
     def test_it_works(self):
         self.check.last_ping = now()