Rescue only from ActionController::InvalidAuthenticityToken

lib/api/helpers.rb

@@ -336,9 +336,9 @@ module API
       env['warden']
     end
 
-    # Check if CSRF tokens are valid.
+    # Check if the request is GET/HEAD, or if CSRF token is valid.
     def verified_request?
-      Gitlab::RequestForgeryProtection.call(env) rescue false
+      Gitlab::RequestForgeryProtection.verified?(env)
     end
 
     # Check the Rails session for valid authentication details

lib/gitlab/request_forgery_protection.rb

@@ -19,5 +19,13 @@ module Gitlab
     def self.call(env)
       app.call(env)
     end
+
+    def self.verified?(env)
+      call(env)
+
+      true
+    rescue ActionController::InvalidAuthenticityToken
+      false
+    end
   end
 end