diff --git a/app/Providers/AppServiceProvider.php b/app/Providers/AppServiceProvider.php
index 9856f21f..089e9aeb 100644
--- a/app/Providers/AppServiceProvider.php
+++ b/app/Providers/AppServiceProvider.php
@@ -31,6 +31,7 @@
 use Illuminate\Foundation\Application;
 use Illuminate\Support\Facades\Route;
 use Illuminate\Support\ServiceProvider;
+use Symfony\Component\HttpFoundation\Request as SymfonyRequest;
 
 class AppServiceProvider extends ServiceProvider
 {
@@ -39,7 +40,8 @@ class AppServiceProvider extends ServiceProvider
      */
     public function register(): void
     {
-        //
+        // Ignore malformed _method / X-HTTP-Method-Override values (bots) instead of throwing SuspiciousOperationException.
+        SymfonyRequest::setAllowedHttpMethodOverride(['PUT', 'PATCH', 'DELETE']);
     }
 
     /**
diff --git a/tests/Feature/HttpMethodOverrideTest.php b/tests/Feature/HttpMethodOverrideTest.php
new file mode 100644
index 00000000..970275f1
--- /dev/null
+++ b/tests/Feature/HttpMethodOverrideTest.php
@@ -0,0 +1,19 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Tests\Feature;
+
+use App\Http\Middleware\VerifyCsrfToken;
+use Tests\TestCase;
+
+class HttpMethodOverrideTest extends TestCase
+{
+    public function test_malicious_method_override_does_not_throw(): void
+    {
+        $response = $this->withoutMiddleware(VerifyCsrfToken::class)
+            ->post('/', ['_method' => 'FOO123']);
+
+        $response->assertStatus(405);
+    }
+}
diff --git a/tests/Feature/ProfileInformationTest.php b/tests/Feature/ProfileInformationTest.php
index fee045cb..ee3b9fa8 100644
--- a/tests/Feature/ProfileInformationTest.php
+++ b/tests/Feature/ProfileInformationTest.php
@@ -5,6 +5,7 @@
 namespace Tests\Feature;
 
 use App\Enums\Weekday;
+use App\Http\Middleware\VerifyCsrfToken;
 use App\Models\User;
 use App\Service\TimezoneService;
 use Illuminate\Foundation\Testing\RefreshDatabase;
@@ -50,4 +51,23 @@ public function test_profile_information_can_be_updated(): void
         $this->assertEquals($timezone, $user->timezone);
         $this->assertEquals(Weekday::Sunday, $user->week_start);
     }
+
+    public function test_profile_information_can_be_updated_via_post_with_method_spoofing(): void
+    {
+        $user = User::factory()->create();
+        $timezone = app(TimezoneService::class)->getTimezones()[0];
+        $this->actingAs($user);
+
+        $response = $this->withoutMiddleware(VerifyCsrfToken::class)
+            ->post('/user/profile-information', [
+                '_method' => 'PUT',
+                'name' => 'Spoofed Put Name',
+                'email' => $user->email,
+                'timezone' => $timezone,
+                'week_start' => Weekday::Sunday->value,
+            ]);
+
+        $response->assertValid(errorBag: 'updateProfileInformation');
+        $this->assertSame('Spoofed Put Name', $user->fresh()->name);
+    }
 }