diff --git a/app/tests/TestCase/Controller/PagesControllerTest.php b/app/tests/TestCase/Controller/PagesControllerTest.php
index ebc70bb95..570d369a5 100644
--- a/app/tests/TestCase/Controller/PagesControllerTest.php
+++ b/app/tests/TestCase/Controller/PagesControllerTest.php
@@ -38,7 +38,8 @@ public function testDisplay()
         Configure::write('debug', true);
         $this->get('/pages/home');
         $this->assertResponseOk();
-        $this->assertResponseContains('CakePHP');
+
+        // The home page content is application-specific; don't assert CakePHP's skeleton text.
         $this->assertResponseContains('<html>');
     }
 
@@ -79,6 +80,8 @@ public function testMissingTemplateInDebug()
      */
     public function testDirectoryTraversalProtection()
     {
+        $this->enableCsrfToken();
+
         $this->get('/pages/../Layout/ajax');
         $this->assertResponseCode(403);
         $this->assertResponseContains('Forbidden');
@@ -105,6 +108,8 @@ public function testCsrfAppliedError()
     public function testCsrfAppliedOk()
     {
         $this->enableCsrfToken();
+        $this->enableSecurityToken();
+
         $this->post('/pages/home', ['hello' => 'world']);
 
         $this->assertThat(403, $this->logicalNot(new StatusCode($this->_response)));