diff --git a/application/controllers/User.php b/application/controllers/User.php
index 307b7db3a..9ccd8ce26 100644
--- a/application/controllers/User.php
+++ b/application/controllers/User.php
@@ -192,6 +192,7 @@ class User extends CI_Controller {
 		if ($this->form_validation->run() == FALSE) {
 			$data['page_title'] = __("Add User");
 			$data['measurement_base'] = $this->config->item('measurement_base');
+			$data['csrf_token'] = $this->paths->csrf_generate($this->router->class.'_'.$this->router->method);
 
 			$this->load->view('interface_assets/header', $data);
 			if($this->input->post('user_name')) {
@@ -252,6 +253,12 @@ class User extends CI_Controller {
 			}
 			$this->load->view('interface_assets/footer', $footerData);
 		} else {
+			if (!$this->paths->csrf_verify($this->router->class.'_'.$this->router->method)) {
+				$this->session->set_flashdata('error', __("Invalid security token"));
+				redirect('user/add');
+				return;
+			}
+
 			switch($this->user_model->add($this->input->post('user_name'),
 				$this->input->post('user_password'),
 				$this->input->post('user_email'),
@@ -334,6 +341,7 @@ class User extends CI_Controller {
 					return;
 			}
 			$data['page_title'] = __("Users");
+			$data['csrf_token'] = $this->paths->csrf_generate($this->router->class.'_'.$this->router->method);
 
 			$this->load->view('interface_assets/header', $data);
 			$data['user_name'] = $this->input->post('user_name');
@@ -931,12 +939,19 @@ class User extends CI_Controller {
 			$data['on_air_widget_show_only_most_recent_radio'] = ($this->user_options_model->get_options('widget', array('option_name'=>'on_air', 'option_key' => 'display_only_most_recent_radio'), $this->uri->segment(3))->row()->option_value ?? "true");
 			$data['on_air_widget_url'] = site_url('widgets/on_air/' . $q->slug);
 			$data['qso_widget_display_qso_time'] = ($this->user_options_model->get_options('widget', array('option_name'=>'qso', 'option_key' => 'display_qso_time'), $this->uri->segment(3))->row()->option_value ?? "false");
+			$data['csrf_token'] = $this->paths->csrf_generate($this->router->class.'_'.$this->router->method);
 
 			$this->load->view('interface_assets/header', $data);
 			$this->load->view('user/edit', $data);
 			$this->load->view('interface_assets/footer', $footerData);
 		} else {
 			// Data was submitted for saving - save updated options in DB
+			if (!$this->paths->csrf_verify($this->router->class.'_'.$this->router->method)) {
+				$this->session->set_flashdata('error', __("Invalid security token"));
+				redirect('user/edit/'.$this->uri->segment(3));
+				return;
+			}
+
 			unset($data);
 			switch($this->user_model->edit($this->input->post())) {
 				// Check for errors
@@ -1000,6 +1015,7 @@ class User extends CI_Controller {
 					return;
 			}
 
+			$data['csrf_token'] = $this->paths->csrf_generate($this->router->class.'_'.$this->router->method);
 			$this->load->view('interface_assets/header', $data);
 			$data['user_name'] = $this->input->post('user_name', true);
 			$data['user_email'] = $this->input->post('user_email', true);
diff --git a/application/views/user/edit.php b/application/views/user/edit.php
index cd0a9c197..85b69566e 100644
--- a/application/views/user/edit.php
+++ b/application/views/user/edit.php
@@ -37,6 +37,7 @@
 	<?php $this->load->helper('form'); ?>
 
 	<form method="post" action="<?php echo $user_form_action; ?>" name="users" autocomplete="off">
+	<input type="hidden" name="csrf_token" value="<?php echo $csrf_token; ?>" />
 	<div class="accordion user_edit">
 		<!-- ZONE 1 / User General Information -->
 		<div class="accordion-item">