diff --git a/src/middleware/csrf/index.test.ts b/src/middleware/csrf/index.test.ts
index 517d7a62..38537e5b 100644
--- a/src/middleware/csrf/index.test.ts
+++ b/src/middleware/csrf/index.test.ts
@@ -206,6 +206,15 @@ describe('CSRF by Middleware', () => {
       expect(res.status).toBe(403)
       expect(simplePostHandler).not.toHaveBeenCalled()
     })
+
+    it('should be 403 if the content-type is not set', async () => {
+      const res = await app.request('/form', {
+        method: 'POST',
+        body: new Blob(['test'], {}),
+      })
+      expect(res.status).toBe(403)
+      expect(simplePostHandler).not.toHaveBeenCalled()
+    })
   })
 
   describe('with origin option', () => {
diff --git a/src/middleware/csrf/index.ts b/src/middleware/csrf/index.ts
index ae622c3f..44881b7b 100644
--- a/src/middleware/csrf/index.ts
+++ b/src/middleware/csrf/index.ts
@@ -76,7 +76,7 @@ export const csrf = (options?: CSRFOptions): MiddlewareHandler => {
   return async function csrf(c, next) {
     if (
       !isSafeMethodRe.test(c.req.method) &&
-      isRequestedByFormElementRe.test(c.req.header('content-type') || '') &&
+      isRequestedByFormElementRe.test(c.req.header('content-type') || 'text/plain') &&
       !isAllowedOrigin(c.req.header('origin'), c)
     ) {
       const res = new Response('Forbidden', {