diff --git a/wapitiCore/attack/mod_csrf.py b/wapitiCore/attack/mod_csrf.py
index 362f51caf..a0c4ccd0a 100644
--- a/wapitiCore/attack/mod_csrf.py
+++ b/wapitiCore/attack/mod_csrf.py
@@ -173,6 +173,11 @@ async def must_attack(self, request: Request, response: Optional[Response] = Non
         if request.method != "POST":
             return False
 
+        # JSON requests can only be sent using JS with same-origin policy in place
+        # so, it is unlikely that a CSRF is possible. Let's filter those requests to prevent false positives
+        if request.is_json:
+            return False
+
         if (request.url, request.post_keys) in self.already_vulnerable:
             return False