diff --git a/src/Routing/QueryRouteEnhancer.php b/src/Routing/QueryRouteEnhancer.php
index 0d8fec5dd..ca2daa5df 100644
--- a/src/Routing/QueryRouteEnhancer.php
+++ b/src/Routing/QueryRouteEnhancer.php
@@ -92,7 +92,7 @@ protected function assertValidPostRequestHeaders(Request $request) : void {
       return;
     }
 
-    /** @phpstan-ignore-next-line */
+    // @phpstan-ignore-next-line
     $content_format = method_exists($request, 'getContentTypeFormat') ? $request->getContentTypeFormat() : $request->getContentType();
     if ($content_format === NULL) {
       // Symfony before 5.4 does not detect "multipart/form-data", check for it
@@ -116,7 +116,11 @@ protected function assertValidPostRequestHeaders(Request $request) : void {
     if ($content_format === "form") {
       // If the client set a custom header then we can be sure CORS was
       // respected.
-      $custom_headers = ['Apollo-Require-Preflight', 'X-Apollo-Operation-Name', 'x-graphql-yoga-csrf'];
+      $custom_headers = [
+        'Apollo-Require-Preflight',
+        'X-Apollo-Operation-Name',
+        'x-graphql-yoga-csrf',
+      ];
       foreach ($custom_headers as $custom_header) {
         if ($request->headers->has($custom_header)) {
           return;
@@ -133,7 +137,7 @@ protected function assertValidPostRequestHeaders(Request $request) : void {
       if (!empty($this->corsOptions['enabled'])) {
         $cors_service = new CorsService($this->corsOptions);
         // Drupal 9 compatibility, method name has changed in Drupal 10.
-        /** @phpstan-ignore-next-line */
+        // @phpstan-ignore-next-line
         if ($cors_service->isActualRequestAllowed($request)) {
           return;
         }
diff --git a/tests/src/Kernel/Framework/CsrfTest.php b/tests/src/Kernel/Framework/CsrfTest.php
index 76d12ee07..34d451b30 100644
--- a/tests/src/Kernel/Framework/CsrfTest.php
+++ b/tests/src/Kernel/Framework/CsrfTest.php
@@ -155,26 +155,36 @@ public function provideAllowedFormRequests(): array {
       [['CONTENT_TYPE' => 'multipart/form-data']],
       // The custom Apollo-Require-Preflight header overrules any evil Origin
       // header.
-      [[
-        'CONTENT_TYPE' => 'multipart/form-data',
-        'HTTP_APOLLO_REQUIRE_PREFLIGHT' => 'test',
-        'HTTP_ORIGIN' => 'https://evil.example.com',
-      ]],
+      [
+        [
+          'CONTENT_TYPE' => 'multipart/form-data',
+          'HTTP_APOLLO_REQUIRE_PREFLIGHT' => 'test',
+          'HTTP_ORIGIN' => 'https://evil.example.com',
+        ],
+      ],
       // The Origin header alone with the correct domain is allowed.
-      [[
-        'CONTENT_TYPE' => 'multipart/form-data',
-        'HTTP_ORIGIN' => 'https://example.com',
-      ]],
+      [
+        [
+          'CONTENT_TYPE' => 'multipart/form-data',
+          'HTTP_ORIGIN' => 'https://example.com',
+        ],
+      ],
       // The Origin header with an allowed domain.
-      [[
-        'CONTENT_TYPE' => 'multipart/form-data',
-        'HTTP_ORIGIN' => 'https://allowed.example.com',
-      ], ['https://allowed.example.com']],
+      [
+        [
+          'CONTENT_TYPE' => 'multipart/form-data',
+          'HTTP_ORIGIN' => 'https://allowed.example.com',
+        ],
+        ['https://allowed.example.com'],
+      ],
       // The Origin header with any allowed domain.
-      [[
-        'CONTENT_TYPE' => 'multipart/form-data',
-        'HTTP_ORIGIN' => 'https://allowed.example.com',
-      ], ['*']],
+      [
+        [
+          'CONTENT_TYPE' => 'multipart/form-data',
+          'HTTP_ORIGIN' => 'https://allowed.example.com',
+        ],
+        ['*'],
+      ],
     ];
   }