diff --git a/CHANGELOG b/CHANGELOG
index 7f5b5be48..42eceaf1d 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -2,6 +2,12 @@
 ChangeLog
 *********
 
+0.40.1 (2018-07-25)
+===================
+- Feature: Add `X-CSRFToken` to list of acceptable CORS headers.
+- Feature: Tell Keen analytics to strip ip on upload.
+- Code: Remove never-implemented anonymous geolocation code.
+
 0.40.0 (2018-06-22)
 ===================
 - Feature: Listen for MFR-originating metadata requests and relay the nature of the request to
diff --git a/requirements.txt b/requirements.txt
index 63e9e8888..897f3526d 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -19,6 +19,3 @@ xmltodict==0.9.0
 
 # Issue: certifi-2015.9.6.1 and 2015.9.6.2 fail verification (https://github.com/certifi/python-certifi/issues/26)
 certifi==2015.4.28
-
-# Analytics requirements
-python-geoip-geolite2==2015.0303
diff --git a/waterbutler/core/remote_logging.py b/waterbutler/core/remote_logging.py
index fa4580c4c..08c574db9 100644
--- a/waterbutler/core/remote_logging.py
+++ b/waterbutler/core/remote_logging.py
@@ -5,7 +5,6 @@
 
 import furl
 import aiohttp
-# from geoip import geolite2
 
 from waterbutler import settings
 from waterbutler.core import utils
@@ -80,10 +79,6 @@ async def log_to_keen(action, api_version, request, source, destination=None, er
     if settings.KEEN_PRIVATE_PROJECT_ID is None:
         return
 
-    location = None
-    # if request['ip'] and re.match('\d+\.\d+\.\d+\.\d+', request['ip']):  # needs IPv4 format
-    #     location = geolite2.lookup(request['ip'])
-
     keen_payload = {
         'meta': {
             'wb_version': __version__,
@@ -92,9 +87,9 @@ async def log_to_keen(action, api_version, request, source, destination=None, er
         },
         'request': request['request'],  # .info added via keen addons
         'tech': request['tech'],  # .info added via keen addons
-        'anon': {
-            'continent': getattr(location, 'continent', None),
-            'country': getattr(location, 'country', None),
+        'anon': {  # intended for anonymized geolocation, never implemented
+            'continent': None,
+            'country': None,
         },
         'action': {
             'type': action,
@@ -130,7 +125,8 @@ async def log_to_keen(action, api_version, request, source, destination=None, er
                 {  # private
                     'name': 'keen:ip_to_geo',
                     'input': {
-                        'ip': 'tech.ip'
+                        'ip': 'tech.ip',
+                        'remove_ip_property': True,
                     },
                     'output': 'geo',
                 },
diff --git a/waterbutler/server/utils.py b/waterbutler/server/utils.py
index 01688c278..a421343c4 100644
--- a/waterbutler/server/utils.py
+++ b/waterbutler/server/utils.py
@@ -8,6 +8,7 @@
     'Authorization',
     'Cache-Control',
     'X-Requested-With',
+    'X-CSRFToken',
 ]
 
 CORS_EXPOSE_HEADERS = [
diff --git a/waterbutler/version.py b/waterbutler/version.py
index eb9b6f12e..5e1c3f39f 100644
--- a/waterbutler/version.py
+++ b/waterbutler/version.py
@@ -1 +1 @@
-__version__ = '0.40.0'
+__version__ = '0.40.1'