diff --git a/app/ccms_user_controller.cpp b/app/ccms_user_controller.cpp
index 53ae130..9574f4d 100644
--- a/app/ccms_user_controller.cpp
+++ b/app/ccms_user_controller.cpp
@@ -28,6 +28,8 @@ void CCMSUserController::render_login_request_default(Request *request, LoginReq
 		//todo href path helper
 		b.form()->method("POST")->href("/user/login");
 		{
+			b.csrf_token(request);
+
 			b.w("Username");
 			b.br();
 			b.input()->type("text")->name("username")->value(data->uname_val);
@@ -77,6 +79,8 @@ void CCMSUserController::render_register_request_default(Request *request, Regis
 		//todo href path helper
 		b.form()->method("POST")->href("/user/register");
 		{
+			b.csrf_token(request);
+
 			b.w("Username");
 			b.br();
 			b.input()->type("text")->name("username")->value(data->uname_val);
@@ -146,6 +150,8 @@ void CCMSUserController::render_settings_request(Ref<User> &user, Request *reque
 		//todo href path helper
 		b.form()->method("POST")->href("/user/settings");
 		{
+			b.csrf_token(request);
+			
 			b.w("Username");
 			b.br();
 			b.input()->type("text")->name("username")->placeholder(user->name_user_input)->value(data->uname_val);
diff --git a/app/menu/menu_node.cpp b/app/menu/menu_node.cpp
index ed1d79d..c2a00ac 100644
--- a/app/menu/menu_node.cpp
+++ b/app/menu/menu_node.cpp
@@ -166,6 +166,8 @@ void MenuNode::render_menuentry_view(Request *request, MenudminEntryViewData *da
 
 	b.form()->method("POST")->action(aurl);
 	{
+		b.csrf_token(request);
+
 		b.w("Name:")->br();
 		b.input_text("name", name)->br();
 
@@ -363,6 +365,7 @@ void MenuNode::admin_render_menuentry_list(Request *request) {
 				if (i != 0) {
 					b.form()->method("POST")->action(request->get_url_root() + "up");
 					{
+						b.csrf_token(request);
 						b.input_hidden("id", String::num(e->id));
 						b.input_submit("Up");
 					}
@@ -378,6 +381,7 @@ void MenuNode::admin_render_menuentry_list(Request *request) {
 				if (i + 1 != _data->entries.size()) {
 					b.form()->method("POST")->action(request->get_url_root() + "down");
 					{
+						b.csrf_token(request);
 						b.input_hidden("id", String::num(e->id));
 						b.input_submit("Down");
 					}
@@ -392,6 +396,7 @@ void MenuNode::admin_render_menuentry_list(Request *request) {
 			{
 				b.form()->method("POST")->action(request->get_url_root() + "delete");
 				{
+					b.csrf_token(request);
 					b.input_hidden("id", String::num(e->id));
 					b.input_submit("Delete");
 				}