diff --git a/spec/middleware/csrf_spec.cr b/spec/middleware/csrf_spec.cr
index 664eabb..c5e814a 100644
--- a/spec/middleware/csrf_spec.cr
+++ b/spec/middleware/csrf_spec.cr
@@ -55,7 +55,7 @@ describe "Kemal::Middleware::CSRF" do
       body: "hasan=lamec",
       headers: HTTP::Headers{"Content-Type" => "application/x-www-form-urlencoded",
                              "Set-Cookie" => client_response.headers["Set-Cookie"],
-                             "http-x-csrf-token" => current_token })
+                             "x-csrf-token" => current_token })
     io, context = process_request(handler, request)
     client_response = HTTP::Client::Response.from_io(io, decompress: false)
     client_response.status_code.should eq 404
diff --git a/src/kemal/middleware/csrf.cr b/src/kemal/middleware/csrf.cr
index cc46c75..9ae841f 100644
--- a/src/kemal/middleware/csrf.cr
+++ b/src/kemal/middleware/csrf.cr
@@ -11,7 +11,7 @@ module Kemal::Middleware
   # where an attacker can re-submit a form.
   #
   class CSRF < HTTP::Handler
-    HEADER = "HTTP_X_CSRF_TOKEN"
+    HEADER = "X_CSRF_TOKEN"
     ALLOWED_METHODS = %w[GET HEAD OPTIONS TRACE]
     PARAMETER_NAME = "authenticity_token"