diff --git a/src/applications/files/controller/proxy/PhabricatorFileProxyController.php b/src/applications/files/controller/proxy/PhabricatorFileProxyController.php
index 3869376b12..760b5c69e3 100644
--- a/src/applications/files/controller/proxy/PhabricatorFileProxyController.php
+++ b/src/applications/files/controller/proxy/PhabricatorFileProxyController.php
@@ -34,6 +34,10 @@ class PhabricatorFileProxyController extends PhabricatorFileController {
       $uri);
 
     if (!$proxy) {
+      // This write is fine to skip CSRF checks for, we're just building a
+      // cache of some remote image.
+      $unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
+
       $file = PhabricatorFile::newFromFileDownload(
         $uri,
         nonempty(basename($uri), 'proxied-file'));
@@ -43,6 +47,8 @@ class PhabricatorFileProxyController extends PhabricatorFileController {
         $proxy->setFilePHID($file->getPHID());
         $proxy->save();
       }
+
+      unset($unguarded);
     }
 
     if ($proxy) {
diff --git a/src/applications/files/controller/proxy/__init__.php b/src/applications/files/controller/proxy/__init__.php
index f8c7b15690..be1d269685 100644
--- a/src/applications/files/controller/proxy/__init__.php
+++ b/src/applications/files/controller/proxy/__init__.php
@@ -8,6 +8,7 @@
 
 phutil_require_module('phabricator', 'aphront/response/400');
 phutil_require_module('phabricator', 'aphront/response/redirect');
+phutil_require_module('phabricator', 'aphront/writeguard');
 phutil_require_module('phabricator', 'applications/files/controller/base');
 phutil_require_module('phabricator', 'applications/files/storage/file');
 phutil_require_module('phabricator', 'applications/files/storage/proxyimage');