diff --git a/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__1. no auth token.snap b/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__1. no auth token.snap
index 049da8e..6b509c9 100644
--- a/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__1. no auth token.snap	
+++ b/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__1. no auth token.snap	
@@ -4,6 +4,5 @@ expression: "(headers, text)"
 ---
 - access-control-allow-origin: "*"
   access-control-expose-headers: "*"
-  content-length: "16"
   content-type: text/plain; charset=utf-8
 - No access token.
diff --git a/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__2. malformed auth token.snap b/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__2. malformed auth token.snap
index c581f38..fb11224 100644
--- a/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__2. malformed auth token.snap	
+++ b/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__2. malformed auth token.snap	
@@ -4,6 +4,5 @@ expression: "(headers, text)"
 ---
 - access-control-allow-origin: "*"
   access-control-expose-headers: "*"
-  content-length: "21"
   content-type: text/plain; charset=utf-8
 - Invalid access token.
diff --git a/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__2__login.snap b/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__2__login.snap
index 9e39521..cf86ef1 100644
--- a/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__2__login.snap
+++ b/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__2__login.snap
@@ -2,8 +2,7 @@
 source: src/tests/test_oidc_auth_flow.rs
 expression: "(headers, xsrf_box)"
 ---
-- content-length: "864"
-  content-type: text/html; charset=utf-8
+- content-type: text/html; charset=utf-8
   set-cookie: __Host-SessionlessXsrf=HL4qRFKUlBqkrPTvAQ6z-w; HttpOnly; SameSite=Strict; Secure; Path=/; Max-Age=43200000
   x-frame-options: DENY
 - "<input name=\"xsrf\" type=\"hidden\" value=\"HL4qRFKUlBqkrPTvAQ6z-w\">"
diff --git a/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__3. wrong auth token.snap b/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__3. wrong auth token.snap
index 0141afa..a74696f 100644
--- a/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__3. wrong auth token.snap	
+++ b/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__3. wrong auth token.snap	
@@ -4,6 +4,5 @@ expression: "(headers, text)"
 ---
 - access-control-allow-origin: "*"
   access-control-expose-headers: "*"
-  content-length: "28"
   content-type: text/plain; charset=utf-8
 - Invalid application session.
diff --git a/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__3__login.snap b/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__3__login.snap
index 3082a19..39b4c17 100644
--- a/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__3__login.snap
+++ b/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__3__login.snap
@@ -2,8 +2,7 @@
 source: src/tests/test_oidc_auth_flow.rs
 expression: "(headers, text)"
 ---
-- content-length: "55"
-  content-type: text/plain; charset=utf-8
+- content-type: text/plain; charset=utf-8
   location: "/oidc/auth?scope=openid&client_id=aclient&response_type=code&state=wombat&redirect_uri=http:%2F%2Faclient.example.com%2Fredirect&code_challenge=LeU9Sprdh-i2mzasKGh8-hmbnmzk48l3Siw390dKY3M&code_challenge_method=S256&nonce=noncey"
   set-cookie: __Host-LoginSession=Glh_a6j2xs7ryaJWefPsoW59L7xq6QokAzGh-zEcOxY; HttpOnly; SameSite=Strict; Secure; Path=/; Max-Age=43200000
   x-frame-options: DENY
diff --git a/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__3__token_no_code.snap b/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__3__token_no_code.snap
index 53b3600..e2e3cb0 100644
--- a/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__3__token_no_code.snap
+++ b/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__3__token_no_code.snap
@@ -4,7 +4,6 @@ expression: "(headers, json)"
 ---
 - access-control-allow-origin: "*"
   access-control-expose-headers: "*"
-  content-length: "75"
   content-type: application/json
 - error: invalid_request
   error_description: "`code` parameter missing."
diff --git a/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__4__auth.snap b/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__4__auth.snap
index 0f70f51..fe06bf1 100644
--- a/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__4__auth.snap
+++ b/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__4__auth.snap
@@ -1,8 +1,7 @@
 ---
 source: src/tests/test_oidc_auth_flow.rs
-expression: "(headers, text)"
+expression: "(headers, xsrf_box)"
 ---
-- content-length: "288"
-  content-type: text/html; charset=utf-8
+- content-type: text/html; charset=utf-8
   x-frame-options: DENY
-- "hi <u>robert</u>, consent to <u>AClient</u>? <form method='POST'><input type='hidden' name='xsrf' value='0.JpKyqkWckzF6w6btxX2RXv_MlxgOfoYOZJknydValkc'><button type='submit' name='action' value='accept'>Accept</button> <button type='submit' name='action' value='deny'>Deny</button></form>"
+- "<input name=\"xsrf\" type=\"hidden\" value=\"0.JpKyqkWckzF6w6btxX2RXv_MlxgOfoYOZJknydValkc\">"
diff --git a/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__4__token_conflict.snap b/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__4__token_conflict.snap
index 6b479d4..64baa56 100644
--- a/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__4__token_conflict.snap
+++ b/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__4__token_conflict.snap
@@ -4,6 +4,5 @@ expression: "(headers, text)"
 ---
 - access-control-allow-origin: "*"
   access-control-expose-headers: "*"
-  content-length: "124"
   content-type: application/json
 - "{\"error\":\"invalid_grant\",\"error_description\":\"Auth code has been redeemed multiple times! This could mean something nasty.\"}"
diff --git a/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__4__token_malformed_code.snap b/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__4__token_malformed_code.snap
index 01444ff..7d5a021 100644
--- a/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__4__token_malformed_code.snap
+++ b/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__4__token_malformed_code.snap
@@ -4,7 +4,6 @@ expression: "(headers, json)"
 ---
 - access-control-allow-origin: "*"
   access-control-expose-headers: "*"
-  content-length: "77"
   content-type: application/json
 - error: invalid_request
   error_description: "`code` parameter malformed."
diff --git a/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__5__auth.snap b/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__5__auth.snap
index b59eedf..8bef04f 100644
--- a/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__5__auth.snap
+++ b/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__5__auth.snap
@@ -2,8 +2,7 @@
 source: src/tests/test_oidc_auth_flow.rs
 expression: "(headers, text)"
 ---
-- content-length: "46"
-  content-type: text/plain; charset=utf-8
+- content-type: text/plain; charset=utf-8
   location: "http://aclient.example.com/redirect?code=UnLS_bGq0ZB4szozTRCJIG-37ibG08zK&state=wombat&iss=http%3A%2F%2Fissuer.example.com"
   x-frame-options: DENY
 - Authorisation succeeded; redirecting you back.
diff --git a/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__5__token_no_verifier.snap b/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__5__token_no_verifier.snap
index 23a3f3b..3d0dcca 100644
--- a/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__5__token_no_verifier.snap
+++ b/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__5__token_no_verifier.snap
@@ -4,7 +4,6 @@ expression: "(headers, json)"
 ---
 - access-control-allow-origin: "*"
   access-control-expose-headers: "*"
-  content-length: "84"
   content-type: application/json
 - error: invalid_request
   error_description: "`code_verifier` parameter missing."
diff --git a/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__6__token.snap b/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__6__token.snap
index 270771b..ac01403 100644
--- a/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__6__token.snap
+++ b/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__6__token.snap
@@ -4,7 +4,6 @@ expression: "(headers, json)"
 ---
 - access-control-allow-origin: "*"
   access-control-expose-headers: "*"
-  content-length: "803"
   content-type: application/json
 - access_token: pvgYf08qA_ctEIhMP4DFQzbxjiCx8qfgi4cATwGsH9Q
   expires_in: 31536000
diff --git a/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__6__token_wrong_verifier.snap b/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__6__token_wrong_verifier.snap
index 709152b..56cc1e8 100644
--- a/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__6__token_wrong_verifier.snap
+++ b/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__6__token_wrong_verifier.snap
@@ -4,7 +4,6 @@ expression: "(headers, json)"
 ---
 - access-control-allow-origin: "*"
   access-control-expose-headers: "*"
-  content-length: "74"
   content-type: application/json
 - error: invalid_grant
   error_description: Code challenge is invalid.
diff --git a/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__7__userinfo.snap b/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__7__userinfo.snap
index 133c97f..7d4345c 100644
--- a/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__7__userinfo.snap
+++ b/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__7__userinfo.snap
@@ -4,7 +4,6 @@ expression: "(headers, json)"
 ---
 - access-control-allow-origin: "*"
   access-control-expose-headers: "*"
-  content-length: "92"
   content-type: application/json
 - name: robert
   preferred_username: robert
diff --git a/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__discovery_endpoint.snap b/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__discovery_endpoint.snap
index 0a55506..cebc953 100644
--- a/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__discovery_endpoint.snap
+++ b/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__discovery_endpoint.snap
@@ -4,6 +4,5 @@ expression: "(headers, text)"
 ---
 - access-control-allow-origin: "*"
   access-control-expose-headers: "*"
-  content-length: "505"
   content-type: application/json
 - "{\"issuer\":\"http://idcoop.example.com\",\"authorization_endpoint\":\"http://idcoop.example.com/oidc/auth\",\"token_endpoint\":\"http://idcoop.example.com/oidc/token\",\"userinfo_endpoint\":\"http://idcoop.example.com/oidc/userinfo\",\"jwks_uri\":\"http://idcoop.example.com/oidc/jwks\",\"scopes_supported\":[\"openid\"],\"response_types_supported\":[\"code\"],\"response_modes_supported\":[\"query\"],\"grant_types_supported\":[\"authorization_code\"],\"subject_types_supported\":[\"public\"],\"id_token_signing_alg_values_supported\":[\"RS256\"]}"
diff --git a/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__jwks_endpoint.snap b/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__jwks_endpoint.snap
index f4c4c5e..c049246 100644
--- a/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__jwks_endpoint.snap
+++ b/src/tests/snapshots/idcoop__tests__test_oidc_auth_flow__jwks_endpoint.snap
@@ -4,6 +4,5 @@ expression: "(headers, text)"
 ---
 - access-control-allow-origin: "*"
   access-control-expose-headers: "*"
-  content-length: "425"
   content-type: application/json
 - "{\"keys\":[{\"kty\":\"RSA\",\"n\":\"w7umnDmvt2ntktJZaeaDLF4wTHeUCXkCQnGOUPTQCExdlPVQcAIjH9sJmk2dWllhRkm_81nn-x8dXqjYbCvTGC_kHSYodiPiqTLQ1pu4YcvRbQh1XPYtc_T67l29KJtow1i7gZD3QqiWUwufDm2SpoC-Dh-RdUL-SUf2V9tToy6JVzyaNbKJy7_ZpYLn74VJpwte6J0kqhSwQJ4VHnY233Zy0oZKdMWvBtJ1uy7OyHWscqPDOUtjPmsyciyPO3qo4389MiFtAJvPdJkWvNYTtg_mDXFQNsCBPTBCP4nuPNGMS0NFRwo1-A3FYq-HHhMcrGJHS_FSvlNeIDTuu5ODVQ\",\"e\":\"AQAB\",\"use\":\"sig\",\"kid\":\"thekey\",\"alg\":\"RS256\"}]}"
diff --git a/src/tests/test_oidc_auth_flow.rs b/src/tests/test_oidc_auth_flow.rs
index 3420014..4a7c38a 100644
--- a/src/tests/test_oidc_auth_flow.rs
+++ b/src/tests/test_oidc_auth_flow.rs
@@ -32,6 +32,9 @@ fn dump_resp_text(
     // Remove vary because it has multiple values and we don't want to
     // introduce instability into our tests by only allowing one through.
     headers.remove("vary");
+    // Remove content-length because it's not interesting and changes easily
+    // with template changes
+    headers.remove("content-length");
     let text = resp.text();
     eprintln!("=== Response for {req_name} ===");
     eprintln!("Status: {status:?}");
@@ -84,9 +87,8 @@ async fn test_full_flow() {
 
     // 2. /login request
     let resp = client.get(&login_url).await;
-    let (status, mut headers, text) = dump_resp_text("2. /login request", resp);
+    let (status, headers, text) = dump_resp_text("2. /login request", resp);
     assert_eq!(status, 200);
-    headers.remove("Content-Length"); // too variable, unimportant
     let xsrf_box = Regex::new("<[^<>]+xsrf[^<>]+>")
         .unwrap()
         .find(&text)
@@ -121,7 +123,12 @@ async fn test_full_flow() {
         .await;
     let (status, headers, text) = dump_resp_text("4. GET /auth after login", resp);
     assert_eq!(status, 200);
-    assert_yaml_snapshot!("4/auth", (headers, text));
+    let xsrf_box = Regex::new("<[^<>]+xsrf[^<>]+>")
+        .unwrap()
+        .find(&text)
+        .unwrap()
+        .as_str();
+    assert_yaml_snapshot!("4/auth", (headers, xsrf_box));
 
     sys.clock.set_time(30);