diff --git a/ajax/system/sys_perform_update.php b/ajax/system/sys_perform_update.php
index 662d3d91..1e333134 100644
--- a/ajax/system/sys_perform_update.php
+++ b/ajax/system/sys_perform_update.php
@@ -5,19 +5,12 @@ require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';
 
-if (isset($_POST['csrf_token'])) {
-    if (csrfValidateRequest() && !CSRFValidate()) {
-        handleInvalidCSRFToken();
-    }
-    // set installer path + options
-    $path = getenv("DOCUMENT_ROOT");
-    $opts = " --update --yes --check 0 --path $path";
-    $installer = "sudo /etc/raspap/system/raspbian.sh";
-    $execUpdate = $installer.$opts;
+// set installer path + options
+$path = getenv("DOCUMENT_ROOT");
+$opts = " --update --yes --check 0 --path $path";
+$installer = "sudo /etc/raspap/system/raspbian.sh";
+$execUpdate = $installer.$opts;
 
-    $response = shell_exec($execUpdate);
-    echo json_encode($response);
+$response = shell_exec($execUpdate);
+echo json_encode($response);
 
-} else {
-    handleInvalidCSRFToken();
-}
diff --git a/includes/CSRF.php b/includes/CSRF.php
index 6329dfee..ec72fcf6 100644
--- a/includes/CSRF.php
+++ b/includes/CSRF.php
@@ -26,9 +26,11 @@ class CSRF
 
     public static function verify(): bool
     {
-        $token = $_POST['csrf_token'];
+        if (!isset($_POST['csrf_token'])) {
+            return false;
+        }
         return self::instance()->csrfValidateRequest() &&
-               self::instance()->CSRFValidate($_POST['csrf_token'] ?? '');
+           self::instance()->CSRFValidate($_POST['csrf_token']);
     }
 
     public static function metaTag(): string
@@ -53,13 +55,15 @@ class CSRF
      */
     public static function validateRequest(): bool
     {
-        return self::instance()->csrfValidateRequest();
+        $methods = ['POST', 'PUT', 'DELETE', 'PATCH'];
+        return in_array($_SERVER['REQUEST_METHOD'], $methods) &&
+           self::instance()->csrfValidateRequest();
     }
 }
 
 if (\RaspAP\Tokens\CSRF::validateRequest()) {
     if (!\RaspAP\Tokens\CSRF::verify()) {
-        error_log("CSRF verification failed. Token: " . ($_POST['csrf_token'] ?? 'not provided'));
+        error_log("CSRF verification failed: Token missing or invalid");
         \RaspAP\Tokens\CSRF::handleInvalidToken();
     }
 }