diff --git a/backend/workflows/middleware.py b/backend/workflows/middleware.py
index 46563ad..65e2f64 100644
--- a/backend/workflows/middleware.py
+++ b/backend/workflows/middleware.py
@@ -154,7 +154,10 @@ class AuthSessionHardeningMiddleware:
 
     def _touch_session(self, request, now_ts: int) -> None:
         request.session['last_activity_ts'] = now_ts
-        request.session.setdefault('auth_fresh_ts', now_ts)
+        if request.method in {'GET', 'HEAD'}:
+            request.session['auth_fresh_ts'] = now_ts
+        else:
+            request.session.setdefault('auth_fresh_ts', now_ts)
 
     def _warn(self, request, message: str) -> None:
         try:
diff --git a/backend/workflows/tests/test_security_hardening.py b/backend/workflows/tests/test_security_hardening.py
index 7d114e4..22559f5 100644
--- a/backend/workflows/tests/test_security_hardening.py
+++ b/backend/workflows/tests/test_security_hardening.py
@@ -94,3 +94,22 @@ class AuthSessionHardeningTests(TestCase):
         response = client.post('/admin-tools/branding/save/', {'portal_title': 'Blocked'}, HTTP_HOST='localhost')
         self.assertEqual(response.status_code, 302)
         self.assertIn('/accounts/login/', response['Location'])
+
+    @override_settings(SENSITIVE_ACTION_REAUTH_SECONDS=60)
+    def test_recent_get_refreshes_fresh_auth_for_sensitive_post(self):
+        client = Client(REMOTE_ADDR='10.10.10.61')
+        client.force_login(self.user)
+        session = client.session
+        session['last_activity_ts'] = 9999999999
+        session['auth_fresh_ts'] = 1
+        session.save()
+
+        home_response = client.get('/', HTTP_HOST='localhost')
+        self.assertEqual(home_response.status_code, 200)
+
+        session = client.session
+        self.assertGreater(session['auth_fresh_ts'], 1)
+
+        response = client.post('/admin-tools/branding/save/', {'portal_title': 'Blocked'}, HTTP_HOST='localhost')
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response['Location'], '/')