diff --git a/src/porchlight/csrf.py b/src/porchlight/csrf.py
index aa82096..630c723 100644
--- a/src/porchlight/csrf.py
+++ b/src/porchlight/csrf.py
@@ -10,7 +10,8 @@ from starlette.types import ASGIApp, Receive, Scope, Send
 
 logger = logging.getLogger(__name__)
 
-SAFE_METHODS = {"GET", "HEAD", "OPTIONS"}
+SAFE_METHODS = frozenset({"GET", "HEAD", "OPTIONS"})
+SESSION_KEY = "csrf_token"
 
 
 def generate_csrf_token(request: Request) -> str:
@@ -19,10 +20,10 @@ def generate_csrf_token(request: Request) -> str:
     Stores the token at ``request.session["csrf_token"]``.  Returns the
     existing token when one is already present (idempotent per session).
     """
-    token: str | None = request.session.get("csrf_token")
+    token: str | None = request.session.get(SESSION_KEY)
     if token is None:
         token = secrets.token_urlsafe(32)
-        request.session["csrf_token"] = token
+        request.session[SESSION_KEY] = token
     return token
 
 
@@ -70,7 +71,7 @@ class CSRFMiddleware:
                 return
 
         # Token validation
-        expected_token: str | None = request.session.get("csrf_token")
+        expected_token: str | None = request.session.get(SESSION_KEY)
 
         # Check header first, then fall back to form field
         submitted_token: str | None = request.headers.get("x-csrf-token")