diff --git a/kube/services/revproxy/gen3.nginx.conf/fence-service.conf b/kube/services/revproxy/gen3.nginx.conf/fence-service.conf
index 0fd9402ae..f5d408a6f 100644
--- a/kube/services/revproxy/gen3.nginx.conf/fence-service.conf
+++ b/kube/services/revproxy/gen3.nginx.conf/fence-service.conf
@@ -31,6 +31,16 @@ location /user/ {
     proxy_pass $upstream;
 }
 
+location /user/register-user {
+    # Like /user/ but without CSRF check. Registration form submission is
+    # incompatible with revproxy-level cookie-to-header CSRF check.
+    # Fence enforces its own CSRF protection here so this is OK.
+    set $proxy_service  "${fence_release_name}";
+    set $upstream http://${fence_release_name}-service$des_domain;
+    rewrite ^/user/(.*) /$1 break;
+    proxy_pass $upstream;
+}
+
 location /user/data/download {
     if ($csrf_check !~ ^ok-\S.+$) {
       return 403 "failed csrf check";