diff --git a/.eslintrc.json b/.eslintrc.json
index 5a60852ffb..c5695beccb 100644
--- a/.eslintrc.json
+++ b/.eslintrc.json
@@ -122,7 +122,6 @@
         {
             "files": ["static/js/**"],
             "globals": {
-                "csrf_token": false,
                 "current_msg_list": true,
                 "home_msg_list": false,
                 "StripeCheckout": false,
diff --git a/frontend_tests/node_tests/compose.js b/frontend_tests/node_tests/compose.js
index 22279bdd52..3fa1108084 100644
--- a/frontend_tests/node_tests/compose.js
+++ b/frontend_tests/node_tests/compose.js
@@ -1021,7 +1021,6 @@ test_ui("initialize", (override) => {
     $("#compose #attach_files").addClass("notdisplayed");
 
     set_global("document", "document-stub");
-    set_global("csrf_token", "fake-csrf-token");
 
     page_params.max_file_upload_size_mib = 512;
 
diff --git a/frontend_tests/node_tests/compose_video.js b/frontend_tests/node_tests/compose_video.js
index 64ee97d17b..ea0a6078b8 100644
--- a/frontend_tests/node_tests/compose_video.js
+++ b/frontend_tests/node_tests/compose_video.js
@@ -15,7 +15,6 @@ const upload = mock_esm("../../static/js/upload");
 mock_esm("../../static/js/resize", {
     watch_manual_resize() {},
 });
-set_global("csrf_token", "fake-csrf-token");
 set_global("document", {
     execCommand() {
         return false;
diff --git a/frontend_tests/node_tests/settings_org.js b/frontend_tests/node_tests/settings_org.js
index d8d5ebc5cc..3660de777e 100644
--- a/frontend_tests/node_tests/settings_org.js
+++ b/frontend_tests/node_tests/settings_org.js
@@ -32,6 +32,7 @@ stub_templates((name, data) => {
 const channel = mock_esm("../../static/js/channel");
 const overlays = mock_esm("../../static/js/overlays");
 
+mock_esm("../../static/js/csrf", {csrf_token: "token-stub"});
 mock_esm("../../static/js/list_widget", {
     create: () => ({init: noop}),
 });
@@ -49,7 +50,6 @@ mock_esm("../../static/js/ui_report", {
     },
 });
 
-set_global("csrf_token", "token-stub");
 set_global("FormData", _FormData);
 
 const settings_config = zrequire("settings_config");
diff --git a/frontend_tests/node_tests/upload.js b/frontend_tests/node_tests/upload.js
index 645fa18666..855ddf93a6 100644
--- a/frontend_tests/node_tests/upload.js
+++ b/frontend_tests/node_tests/upload.js
@@ -2,7 +2,7 @@
 
 const {strict: assert} = require("assert");
 
-const {mock_cjs, set_global, zrequire} = require("../zjsunit/namespace");
+const {mock_cjs, mock_esm, set_global, zrequire} = require("../zjsunit/namespace");
 const {run_test} = require("../zjsunit/test");
 const $ = require("../zjsunit/zjquery");
 const {page_params} = require("../zjsunit/zpage_params");
@@ -14,7 +14,6 @@ set_global("navigator", {
     userAgent: "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)",
 });
 page_params.max_file_upload_size = 25;
-set_global("csrf_token", "csrf_token");
 
 // Setting these up so that we can test that links to uploads within messages are
 // automatically converted to server relative links.
@@ -34,6 +33,8 @@ Uppy.Plugin = {
 };
 mock_cjs("@uppy/core", Uppy);
 
+mock_esm("../../static/js/csrf", {csrf_token: "csrf_token"});
+
 const compose_ui = zrequire("compose_ui");
 const compose_actions = zrequire("compose_actions");
 const upload = zrequire("upload");
diff --git a/static/js/csrf.js b/static/js/csrf.js
index 5360a17b74..7287d78e5b 100644
--- a/static/js/csrf.js
+++ b/static/js/csrf.js
@@ -1,20 +1,11 @@
-/* eslint-env commonjs */
+import $ from "jquery";
 
-"use strict";
+export let csrf_token;
 
-const $ = require("jquery");
-
-let csrf_token;
 $(() => {
     // This requires that we used Jinja2's {% csrf_input %} somewhere on the page.
     const csrf_input = $('input[name="csrfmiddlewaretoken"]');
-    if (csrf_input.length > 0) {
-        csrf_token = csrf_input.attr("value");
-    } else {
-        csrf_token = undefined;
-    }
-    window.csrf_token = csrf_token;
-
+    csrf_token = csrf_input.attr("value");
     if (csrf_token === undefined) {
         return;
     }
diff --git a/static/js/global.d.ts b/static/js/global.d.ts
index 1b2d2dc360..9838de20f5 100644
--- a/static/js/global.d.ts
+++ b/static/js/global.d.ts
@@ -3,7 +3,6 @@
 // remove each declaration when the corresponding module is migrated
 // to TS.
 
-declare let csrf_token: any;
 declare let current_msg_list: any;
 declare let home_msg_list: any;
 declare let zulip_test: any;
diff --git a/static/js/reload.js b/static/js/reload.js
index 6a3854a7ec..9837b75983 100644
--- a/static/js/reload.js
+++ b/static/js/reload.js
@@ -5,6 +5,7 @@ import * as blueslip from "./blueslip";
 import * as compose from "./compose";
 import * as compose_actions from "./compose_actions";
 import * as compose_state from "./compose_state";
+import {csrf_token} from "./csrf";
 import * as hashchange from "./hashchange";
 import {localstorage} from "./localstorage";
 import * as message_list from "./message_list";
diff --git a/static/js/settings_account.js b/static/js/settings_account.js
index 50e85e5b8d..58c23f5105 100644
--- a/static/js/settings_account.js
+++ b/static/js/settings_account.js
@@ -9,6 +9,7 @@ import * as avatar from "./avatar";
 import * as blueslip from "./blueslip";
 import * as channel from "./channel";
 import * as common from "./common";
+import {csrf_token} from "./csrf";
 import {i18n} from "./i18n";
 import * as overlays from "./overlays";
 import {page_params} from "./page_params";
diff --git a/static/js/settings_bots.js b/static/js/settings_bots.js
index 6ac1d169ef..58f03e1bc0 100644
--- a/static/js/settings_bots.js
+++ b/static/js/settings_bots.js
@@ -10,6 +10,7 @@ import render_settings_edit_outgoing_webhook_service from "../templates/settings
 import * as avatar from "./avatar";
 import * as bot_data from "./bot_data";
 import * as channel from "./channel";
+import {csrf_token} from "./csrf";
 import {DropdownListWidget as dropdown_list_widget} from "./dropdown_list_widget";
 import {i18n} from "./i18n";
 import * as loading from "./loading";
diff --git a/static/js/settings_org.js b/static/js/settings_org.js
index a60d1b2bf8..5b46e238f6 100644
--- a/static/js/settings_org.js
+++ b/static/js/settings_org.js
@@ -6,6 +6,7 @@ import render_settings_admin_realm_domains_list from "../templates/settings/admi
 
 import * as blueslip from "./blueslip";
 import * as channel from "./channel";
+import {csrf_token} from "./csrf";
 import {DropdownListWidget as dropdown_list_widget} from "./dropdown_list_widget";
 import {i18n} from "./i18n";
 import * as loading from "./loading";
diff --git a/static/js/upload.js b/static/js/upload.js
index 66eb38bd92..49e9b7ea7d 100644
--- a/static/js/upload.js
+++ b/static/js/upload.js
@@ -7,6 +7,7 @@ import * as compose from "./compose";
 import * as compose_actions from "./compose_actions";
 import * as compose_state from "./compose_state";
 import * as compose_ui from "./compose_ui";
+import {csrf_token} from "./csrf";
 import {i18n} from "./i18n";
 import {page_params} from "./page_params";