diff --git a/backend/image_transfer/common.py b/backend/image_transfer/common.py
index 7cbd6dd7d..878063373 100644
--- a/backend/image_transfer/common.py
+++ b/backend/image_transfer/common.py
@@ -2,6 +2,7 @@
 
 import json
 from enum import Enum
+from http.cookiejar import DefaultCookiePolicy
 from typing import IO
 from typing import Dict
 from typing import Iterator
@@ -156,3 +157,11 @@ def auth(self, dxf: DXFBase, response: requests.Response) -> Optional[str]:
         return dxf.authenticate(
             response=response,
         )
+
+
+# Remove all cookies, otherwise Harbor will send CSRF cookies, which does not make sense for API requests
+class DXFBaseNoCookies(DXFBase):
+    def __enter__(self: "DXFBaseNoCookies") -> "DXFBaseNoCookies":
+        super().__enter__()
+        self._sessions[0].cookies.set_policy(DefaultCookiePolicy(allowed_domains=[]))
+        return self
diff --git a/backend/image_transfer/decoder.py b/backend/image_transfer/decoder.py
index ed7f8f7a3..13f95a004 100644
--- a/backend/image_transfer/decoder.py
+++ b/backend/image_transfer/decoder.py
@@ -16,6 +16,7 @@
 from image_transfer.common import Blob
 from image_transfer.common import BlobLocationInRegistry
 from image_transfer.common import BlobPathInZip
+from image_transfer.common import DXFBaseNoCookies
 from image_transfer.common import Manifest
 from image_transfer.common import PayloadDescriptor
 from image_transfer.common import PayloadSide
@@ -59,7 +60,7 @@ def push_payload(
     """
     authenticator = Authenticator()
 
-    with DXFBase(host=registry, auth=authenticator.auth, insecure=not secure) as dxf_base:
+    with DXFBaseNoCookies(host=registry, auth=authenticator.auth, insecure=not secure) as dxf_base:
         with safezip.ZipFile(zip_file, "r") as zip_file:
             return list(
                 load_zip_images_in_registry(dxf_base=dxf_base, zip_file=zip_file, repository=repository, strict=strict)