diff --git a/cmd/daemon/serve.go b/cmd/daemon/serve.go
index 78d763c0a025..1db5bd4e37ba 100644
--- a/cmd/daemon/serve.go
+++ b/cmd/daemon/serve.go
@@ -93,6 +93,12 @@ func ServePublic(r driver.Registry, wg *sync.WaitGroup, cmd *cobra.Command, args
 	r.WithCSRFHandler(csrf)
 	n.UseHandler(r.CSRFHandler())
 
+	// Disable CSRF for these endpoints
+	csrf.DisablePath(healthx.AliveCheckPath)
+	csrf.DisablePath(healthx.ReadyCheckPath)
+	csrf.DisablePath(healthx.VersionPath)
+	csrf.DisablePath(prometheus.MetricsPrometheusPath)
+
 	r.RegisterPublicRoutes(ctx, router)
 	r.PrometheusManager().RegisterRouter(router.Router)
 
diff --git a/driver/registry.go b/driver/registry.go
index 55e627fd6b20..4c5c2190f0d4 100644
--- a/driver/registry.go
+++ b/driver/registry.go
@@ -9,6 +9,8 @@ import (
 	"github.com/gorilla/sessions"
 	"github.com/pkg/errors"
 
+	"github.com/ory/nosurf"
+
 	"github.com/ory/x/logrusx"
 
 	"github.com/ory/kratos/continuity"
@@ -45,7 +47,7 @@ type Registry interface {
 
 	WithLogger(l *logrusx.Logger) Registry
 
-	WithCSRFHandler(c x.CSRFHandler)
+	WithCSRFHandler(c nosurf.Handler)
 	WithCSRFTokenGenerator(cg x.CSRFToken)
 
 	HealthHandler(ctx context.Context) *healthx.Handler
diff --git a/driver/registry_default.go b/driver/registry_default.go
index e508d076ddd6..c6fe37a9eeba 100644
--- a/driver/registry_default.go
+++ b/driver/registry_default.go
@@ -7,6 +7,8 @@ import (
 	"sync"
 	"time"
 
+	"github.com/ory/nosurf"
+
 	"github.com/ory/kratos/selfservice/strategy/webauthn"
 
 	"github.com/ory/kratos/selfservice/strategy/lookup"
@@ -70,7 +72,7 @@ type RegistryDefault struct {
 
 	injectedSelfserviceHooks map[string]func(config.SelfServiceHook) interface{}
 
-	nosurf         x.CSRFHandler
+	nosurf         nosurf.Handler
 	trc            *tracing.Tracer
 	pmm            *prometheus.MetricsManager
 	writer         herodot.Writer
@@ -239,11 +241,11 @@ func (m *RegistryDefault) MetricsHandler() *prometheus.Handler {
 	return m.metricsHandler
 }
 
-func (m *RegistryDefault) WithCSRFHandler(c x.CSRFHandler) {
+func (m *RegistryDefault) WithCSRFHandler(c nosurf.Handler) {
 	m.nosurf = c
 }
 
-func (m *RegistryDefault) CSRFHandler() x.CSRFHandler {
+func (m *RegistryDefault) CSRFHandler() nosurf.Handler {
 	if m.nosurf == nil {
 		panic("csrf handler is not set")
 	}
diff --git a/go.mod b/go.mod
index 49b7d4bc73a8..3f17c8c62f3d 100644
--- a/go.mod
+++ b/go.mod
@@ -75,7 +75,7 @@ require (
 	github.com/ory/jsonschema/v3 v3.0.4
 	github.com/ory/kratos-client-go v0.6.3-alpha.1
 	github.com/ory/mail/v3 v3.0.0
-	github.com/ory/nosurf v1.2.5
+	github.com/ory/nosurf v1.2.6
 	github.com/ory/x v0.0.300
 	github.com/phayes/freeport v0.0.0-20180830031419-95f893ade6f2
 	github.com/pkg/errors v0.9.1
diff --git a/go.sum b/go.sum
index 39c8ff14931e..10b21e2d6a90 100644
--- a/go.sum
+++ b/go.sum
@@ -1572,8 +1572,8 @@ github.com/ory/mail v2.3.1+incompatible h1:vHntHDHtQXamt2T+iwTTlCoBkDvILUeujE9Oc
 github.com/ory/mail v2.3.1+incompatible/go.mod h1:87D9/1gB6ewElQoN0lXJ0ayfqcj3cW3qCTXh+5E9mfU=
 github.com/ory/mail/v3 v3.0.0 h1:8LFMRj473vGahFD/ntiotWEd4S80FKYFtiZTDfOQ+sM=
 github.com/ory/mail/v3 v3.0.0/go.mod h1:JGAVeZF8YAlxbaFDUHqRZAKBCSeW2w1vuxf28hFbZAw=
-github.com/ory/nosurf v1.2.5 h1:3PkEwcMd9BYpMD96PTCwJTNV8we69SbO+cgI8p1oeOA=
-github.com/ory/nosurf v1.2.5/go.mod h1:d4L3ZBa7Amv55bqxCBtCs63wSlyaiCkWVl4vKf3OUxA=
+github.com/ory/nosurf v1.2.6 h1:bC+VQjNeO2quPnnl0d6m27irK1uHK9hHnwcDi/JOGlk=
+github.com/ory/nosurf v1.2.6/go.mod h1:d4L3ZBa7Amv55bqxCBtCs63wSlyaiCkWVl4vKf3OUxA=
 github.com/ory/viper v1.5.6/go.mod h1:TYmpFpKLxjQwvT4f0QPpkOn4sDXU1kDgAwJpgLYiQ28=
 github.com/ory/viper v1.7.4/go.mod h1:T6sodNZKNGPpashUOk7EtXz2isovz8oCd57GNVkkNmE=
 github.com/ory/viper v1.7.5 h1:+xVdq7SU3e1vNaCsk/ixsfxE4zylk1TJUiJrY647jUE=
diff --git a/session/manager_http_test.go b/session/manager_http_test.go
index 4bfb3fae13f3..a9bf1f3a3d9a 100644
--- a/session/manager_http_test.go
+++ b/session/manager_http_test.go
@@ -8,6 +8,8 @@ import (
 	"testing"
 	"time"
 
+	"github.com/ory/nosurf"
+
 	"github.com/ory/kratos/driver"
 
 	"github.com/ory/x/urlx"
@@ -24,12 +26,21 @@ import (
 	"github.com/ory/kratos/x"
 )
 
-var _ x.CSRFHandler = new(mockCSRFHandler)
+var _ nosurf.Handler = new(mockCSRFHandler)
 
 type mockCSRFHandler struct {
 	c int
 }
 
+func (f *mockCSRFHandler) DisablePath(s string) {
+}
+
+func (f *mockCSRFHandler) DisableGlob(s string) {
+}
+
+func (f *mockCSRFHandler) DisableGlobs(s ...string) {
+}
+
 func (f *mockCSRFHandler) IgnoreGlob(s string) {
 }
 
diff --git a/x/nosurf.go b/x/nosurf.go
index 868bec6ae388..664684536646 100644
--- a/x/nosurf.go
+++ b/x/nosurf.go
@@ -83,7 +83,7 @@ func FakeCSRFTokenGeneratorWithToken(token string) func(r *http.Request) string
 	}
 }
 
-var _ CSRFHandler = new(FakeCSRFHandler)
+var _ nosurf.Handler = new(FakeCSRFHandler)
 
 type FakeCSRFHandler struct{ name string }
 
@@ -93,6 +93,15 @@ func NewFakeCSRFHandler(name string) *FakeCSRFHandler {
 	}
 }
 
+func (f *FakeCSRFHandler) DisablePath(s string) {
+}
+
+func (f *FakeCSRFHandler) DisableGlob(s string) {
+}
+
+func (f *FakeCSRFHandler) DisableGlobs(s ...string) {
+}
+
 func (f *FakeCSRFHandler) ExemptPath(s string) {
 }
 
@@ -113,16 +122,7 @@ func (f *FakeCSRFHandler) RegenerateToken(w http.ResponseWriter, r *http.Request
 }
 
 type CSRFProvider interface {
-	CSRFHandler() CSRFHandler
-}
-
-type CSRFHandler interface {
-	http.Handler
-	RegenerateToken(w http.ResponseWriter, r *http.Request) string
-	ExemptPath(string)
-	IgnorePath(string)
-	IgnoreGlob(string)
-	IgnoreGlobs(...string)
+	CSRFHandler() nosurf.Handler
 }
 
 func CSRFCookieName(reg interface {
@@ -233,7 +233,7 @@ func NewCSRFHandler(
 }
 
 func NewTestCSRFHandler(router http.Handler, reg interface {
-	WithCSRFHandler(CSRFHandler)
+	WithCSRFHandler(handler nosurf.Handler)
 	WithCSRFTokenGenerator(CSRFToken)
 	WriterProvider
 	LoggingProvider