diff --git a/flask_wtf/csrf.py b/flask_wtf/csrf.py
index c428c226..a85dcdd2 100644
--- a/flask_wtf/csrf.py
+++ b/flask_wtf/csrf.py
@@ -153,8 +153,7 @@ def _csrf_protect():
                     return
 
             csrf_token = None
-            if request.method == 'POST':
-                # DELETE has no form
+            if request.method in ('POST', 'PUT', 'PATCH'):
                 csrf_token = request.form.get('csrf_token')
             if not csrf_token:
                 # You can get csrf token from header