diff --git a/ajax/bandwidth/get_bandwidth.php b/ajax/bandwidth/get_bandwidth.php
index a784b4d7..1f11b556 100644
--- a/ajax/bandwidth/get_bandwidth.php
+++ b/ajax/bandwidth/get_bandwidth.php
@@ -1,8 +1,10 @@
 <?php
+
+require('includes/csrf.php');
+
 require_once '../../includes/config.php';
 require_once RASPI_CONFIG.'/raspap.php';
 
-session_start();
 header('X-Frame-Options: DENY');
 header("Content-Security-Policy: default-src 'none'; connect-src 'self'");
 require_once '../../includes/authenticate.php';
diff --git a/ajax/bandwidth/get_bandwidth_hourly.php b/ajax/bandwidth/get_bandwidth_hourly.php
index 5c8276df..e9875f73 100644
--- a/ajax/bandwidth/get_bandwidth_hourly.php
+++ b/ajax/bandwidth/get_bandwidth_hourly.php
@@ -1,4 +1,7 @@
 <?php 
+
+require('includes/csrf.php');
+
 if (filter_input(INPUT_GET, 'tu') == 'h') {
 
 	header('X-Content-Type-Options: nosniff');
diff --git a/ajax/networking/gen_int_config.php b/ajax/networking/gen_int_config.php
index d0f59ff3..2dd07089 100644
--- a/ajax/networking/gen_int_config.php
+++ b/ajax/networking/gen_int_config.php
@@ -1,9 +1,11 @@
 <?php
-session_start();
+
+require('includes/csrf.php');
+
 include_once('../../includes/config.php');
 include_once('../../includes/functions.php');
 
-if(isset($_POST['generate']) && isset($_POST['csrf_token']) && CSRFValidate()) {
+if(isset($_POST['generate'])) {
     $cnfNetworking = array_diff(scandir(RASPI_CONFIG_NETWORKING, 1),array('..','.','dhcpcd.conf'));
     $cnfNetworking = array_combine($cnfNetworking,$cnfNetworking);
     $strConfFile = "";
diff --git a/ajax/networking/get_all_interfaces.php b/ajax/networking/get_all_interfaces.php
index 432d0a5d..f76cc78e 100644
--- a/ajax/networking/get_all_interfaces.php
+++ b/ajax/networking/get_all_interfaces.php
@@ -1,4 +1,7 @@
 <?php
+
+    require('includes/csrf.php');
+
     exec("ls /sys/class/net | grep -v lo", $interfaces);
     echo json_encode($interfaces);
 ?>
diff --git a/ajax/networking/get_int_config.php b/ajax/networking/get_int_config.php
index d29ee735..21f41ed6 100644
--- a/ajax/networking/get_int_config.php
+++ b/ajax/networking/get_int_config.php
@@ -1,10 +1,12 @@
 <?php
-session_start();
+
+require('includes/csrf.php');
+
 include_once('../../includes/config.php');
 include_once('../../includes/functions.php');
 
 
-if(isset($_POST['interface']) && isset($_POST['csrf_token']) && CSRFValidate()) {
+if(isset($_POST['interface'])) {
     $int = preg_replace('/[^a-z0-9]/', '', $_POST['interface']);
     if(!file_exists(RASPI_CONFIG_NETWORKING.'/'.$int.'.ini')) {
         touch(RASPI_CONFIG_NETWORKING.'/'.$int.'.ini');
diff --git a/ajax/networking/get_ip_summary.php b/ajax/networking/get_ip_summary.php
index 810c6265..28d479e1 100644
--- a/ajax/networking/get_ip_summary.php
+++ b/ajax/networking/get_ip_summary.php
@@ -1,8 +1,10 @@
 <?php
-session_start();
+
+require('includes/csrf.php');
+
 include_once('../../includes/functions.php');
 
-if(isset($_POST['interface']) && isset($_POST['csrf_token']) && CSRFValidate()) {
+if(isset($_POST['interface'])) {
     $int = preg_replace('/[^a-z0-9]/','',$_POST['interface']);
     exec('ip a s '.$int,$intOutput,$intResult);
     $intOutput = array_map('htmlentities', $intOutput);
diff --git a/ajax/networking/save_int_config.php b/ajax/networking/save_int_config.php
index 77fcd865..742304fb 100644
--- a/ajax/networking/save_int_config.php
+++ b/ajax/networking/save_int_config.php
@@ -1,8 +1,10 @@
 <?php
-    session_start();
+
+    require('includes/csrf.php');
+
     include_once('../../includes/config.php');
     include_once('../../includes/functions.php');
-    if(isset($_POST['interface']) && isset($_POST['csrf_token']) && CSRFValidate()) {
+    if(isset($_POST['interface'])) {
         $int = $_POST['interface'];
         $cfg = [];
         $file = $int.".ini";
diff --git a/includes/admin.php b/includes/admin.php
index b335f6be..e58ac4d9 100755
--- a/includes/admin.php
+++ b/includes/admin.php
@@ -6,34 +6,30 @@ function DisplayAuthConfig($username, $password)
 {
     $status = new StatusMessages();
     if (isset($_POST['UpdateAdminPassword'])) {
-        if (CSRFValidate()) {
-            if (password_verify($_POST['oldpass'], $password)) {
-                $new_username=trim($_POST['username']);
-                if ($_POST['newpass'] !== $_POST['newpassagain']) {
-                    $status->addMessage('New passwords do not match', 'danger');
-                } elseif ($new_username == '') {
-                    $status->addMessage('Username must not be empty', 'danger');
-                } else {
-                    if (!file_exists(RASPI_ADMIN_DETAILS)) {
-                        $tmpauth = fopen(RASPI_ADMIN_DETAILS, 'w');
-                        fclose($tmpauth);
-                    }
-
-                    if ($auth_file = fopen(RASPI_ADMIN_DETAILS, 'w')) {
-                        fwrite($auth_file, $new_username.PHP_EOL);
-                        fwrite($auth_file, password_hash($_POST['newpass'], PASSWORD_BCRYPT).PHP_EOL);
-                        fclose($auth_file);
-                        $username = $new_username;
-                        $status->addMessage('Admin password updated');
-                    } else {
-                        $status->addMessage('Failed to update admin password', 'danger');
-                    }
-                }
+        if (password_verify($_POST['oldpass'], $password)) {
+            $new_username=trim($_POST['username']);
+            if ($_POST['newpass'] !== $_POST['newpassagain']) {
+                $status->addMessage('New passwords do not match', 'danger');
+            } elseif ($new_username == '') {
+                $status->addMessage('Username must not be empty', 'danger');
             } else {
-                $status->addMessage('Old password does not match', 'danger');
+                if (!file_exists(RASPI_ADMIN_DETAILS)) {
+                    $tmpauth = fopen(RASPI_ADMIN_DETAILS, 'w');
+                    fclose($tmpauth);
+                }
+
+                if ($auth_file = fopen(RASPI_ADMIN_DETAILS, 'w')) {
+                    fwrite($auth_file, $new_username.PHP_EOL);
+                    fwrite($auth_file, password_hash($_POST['newpass'], PASSWORD_BCRYPT).PHP_EOL);
+                    fclose($auth_file);
+                    $username = $new_username;
+                    $status->addMessage('Admin password updated');
+                } else {
+                    $status->addMessage('Failed to update admin password', 'danger');
+                }
             }
         } else {
-            error_log('CSRF violation');
+            $status->addMessage('Old password does not match', 'danger');
         }
     }
 ?>
@@ -44,7 +40,7 @@ function DisplayAuthConfig($username, $password)
         <div class="panel-body">
           <p><?php $status->showMessages(); ?></p>
           <form role="form" action="?page=auth_conf" method="POST">
-            <?php CSRFToken() ?>
+            <?php echo CSRFTokenFieldTag() ?>
             <div class="row">
               <div class="form-group col-md-4">
                 <label for="username"><?php echo _("Username"); ?></label>
diff --git a/includes/configure_client.php b/includes/configure_client.php
index 8c3f08b3..1253de82 100755
--- a/includes/configure_client.php
+++ b/includes/configure_client.php
@@ -53,7 +53,7 @@ function DisplayWPAConfig()
     if (isset($_POST['connect'])) {
         $result = 0;
         exec('sudo wpa_cli -i ' . RASPI_WPA_CTRL_INTERFACE . ' select_network '.strval($_POST['connect']));
-    } elseif (isset($_POST['client_settings']) && CSRFValidate()) {
+    } elseif (isset($_POST['client_settings'])) {
         $tmp_networks = $networks;
         if ($wpa_file = fopen('/tmp/wifidata', 'w')) {
             fwrite($wpa_file, 'ctrl_interface=DIR=' . RASPI_WPA_CTRL_INTERFACE . ' GROUP=netdev' . PHP_EOL);
@@ -182,7 +182,7 @@ function DisplayWPAConfig()
             </div> 
 
             <form method="POST" action="?page=wpa_conf" name="wpa_conf_form">
-                <?php CSRFToken() ?>
+                <?php echo CSRFTokenFieldTag() ?>
               <input type="hidden" name="client_settings" ?>
               <script>
                 function showPassword(index) {
diff --git a/includes/csrf.php b/includes/csrf.php
new file mode 100644
index 00000000..5acb047e
--- /dev/null
+++ b/includes/csrf.php
@@ -0,0 +1,11 @@
+<?php
+
+include_once('includes/functions.php');
+include_once('includes/session.php');
+
+if (csrfValidateRequest() && !CSRFValidate()) {
+  handleInvalidCSRFToken();
+}
+
+ensureCSRFSessionToken();
+header('X-CSRF-Token', $_SESSION['csrf_token']);
diff --git a/includes/dhcp.php b/includes/dhcp.php
index cc5133c1..82e80bec 100755
--- a/includes/dhcp.php
+++ b/includes/dhcp.php
@@ -12,64 +12,60 @@ function DisplayDHCPConfig()
 
     $status = new StatusMessages();
     if (isset($_POST['savedhcpdsettings'])) {
-        if (CSRFValidate()) {
-            $errors = '';
-            define('IFNAMSIZ', 16);
-            if (!preg_match('/^[a-zA-Z0-9]+$/', $_POST['interface']) ||
-            strlen($_POST['interface']) >= IFNAMSIZ) {
-                  $errors .= _('Invalid interface name.').'<br />'.PHP_EOL;
+        $errors = '';
+        define('IFNAMSIZ', 16);
+        if (!preg_match('/^[a-zA-Z0-9]+$/', $_POST['interface']) ||
+        strlen($_POST['interface']) >= IFNAMSIZ) {
+              $errors .= _('Invalid interface name.').'<br />'.PHP_EOL;
+        }
+
+        if (!preg_match('/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\z/', $_POST['RangeStart']) &&
+        !empty($_POST['RangeStart'])) {  // allow ''/null ?
+              $errors .= _('Invalid DHCP range start.').'<br />'.PHP_EOL;
+        }
+
+        if (!preg_match('/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\z/', $_POST['RangeEnd']) &&
+        !empty($_POST['RangeEnd'])) {  // allow ''/null ?
+              $errors .= _('Invalid DHCP range end.').'<br />'.PHP_EOL;
+        }
+
+        if (!ctype_digit($_POST['RangeLeaseTime']) && $_POST['RangeLeaseTimeUnits'] !== 'infinite') {
+            $errors .= _('Invalid DHCP lease time, not a number.').'<br />'.PHP_EOL;
+        }
+
+        if (!in_array($_POST['RangeLeaseTimeUnits'], array('m', 'h', 'd', 'infinite'))) {
+            $errors .= _('Unknown DHCP lease time unit.').'<br />'.PHP_EOL;
+        }
+
+        $return = 1;
+        if (empty($errors)) {
+            $config = 'interface='.$_POST['interface'].PHP_EOL.
+                  'dhcp-range='.$_POST['RangeStart'].','.$_POST['RangeEnd'].
+                  ',255.255.255.0,';
+            if ($_POST['RangeLeaseTimeUnits'] !== 'infinite') {
+                $config .= $_POST['RangeLeaseTime'];
             }
 
-            if (!preg_match('/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\z/', $_POST['RangeStart']) &&
-            !empty($_POST['RangeStart'])) {  // allow ''/null ?
-                  $errors .= _('Invalid DHCP range start.').'<br />'.PHP_EOL;
-            }
+            $config .= $_POST['RangeLeaseTimeUnits'].PHP_EOL;
 
-            if (!preg_match('/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\z/', $_POST['RangeEnd']) &&
-            !empty($_POST['RangeEnd'])) {  // allow ''/null ?
-                  $errors .= _('Invalid DHCP range end.').'<br />'.PHP_EOL;
-            }
-
-            if (!ctype_digit($_POST['RangeLeaseTime']) && $_POST['RangeLeaseTimeUnits'] !== 'infinite') {
-                $errors .= _('Invalid DHCP lease time, not a number.').'<br />'.PHP_EOL;
-            }
-
-            if (!in_array($_POST['RangeLeaseTimeUnits'], array('m', 'h', 'd', 'infinite'))) {
-                $errors .= _('Unknown DHCP lease time unit.').'<br />'.PHP_EOL;
-            }
-
-            $return = 1;
-            if (empty($errors)) {
-                $config = 'interface='.$_POST['interface'].PHP_EOL.
-                      'dhcp-range='.$_POST['RangeStart'].','.$_POST['RangeEnd'].
-                      ',255.255.255.0,';
-                if ($_POST['RangeLeaseTimeUnits'] !== 'infinite') {
-                    $config .= $_POST['RangeLeaseTime'];
+            for ($i=0; $i < count($_POST["static_leases"]["mac"]); $i++) {
+                $mac = trim($_POST["static_leases"]["mac"][$i]);
+                $ip  = trim($_POST["static_leases"]["ip"][$i]);
+                if ($mac != "" && $ip != "") {
+                    $config .= "dhcp-host=$mac,$ip".PHP_EOL;
                 }
-
-                $config .= $_POST['RangeLeaseTimeUnits'].PHP_EOL;
-
-                for ($i=0; $i < count($_POST["static_leases"]["mac"]); $i++) {
-                    $mac = trim($_POST["static_leases"]["mac"][$i]);
-                    $ip  = trim($_POST["static_leases"]["ip"][$i]);
-                    if ($mac != "" && $ip != "") {
-                        $config .= "dhcp-host=$mac,$ip".PHP_EOL;
-                    }
-                }
-
-                file_put_contents("/tmp/dhcpddata", $config);
-                system('sudo cp /tmp/dhcpddata '.RASPI_DNSMASQ_CONFIG, $return);
-            } else {
-                $status->addMessage($errors, 'danger');
             }
 
-            if ($return == 0) {
-                $status->addMessage('Dnsmasq configuration updated successfully', 'success');
-            } else {
-                $status->addMessage('Dnsmasq configuration failed to be updated.', 'danger');
-            }
+            file_put_contents("/tmp/dhcpddata", $config);
+            system('sudo cp /tmp/dhcpddata '.RASPI_DNSMASQ_CONFIG, $return);
         } else {
-            error_log('CSRF violation');
+            $status->addMessage($errors, 'danger');
+        }
+
+        if ($return == 0) {
+            $status->addMessage('Dnsmasq configuration updated successfully', 'success');
+        } else {
+            $status->addMessage('Dnsmasq configuration failed to be updated.', 'danger');
         }
     }
 
@@ -77,36 +73,28 @@ function DisplayDHCPConfig()
     $dnsmasq_state = ($dnsmasq[0] > 0);
 
     if (isset($_POST['startdhcpd'])) {
-        if (CSRFValidate()) {
-            if ($dnsmasq_state) {
-                $status->addMessage('dnsmasq already running', 'info');
-            } else {
-                exec('sudo /etc/init.d/dnsmasq start', $dnsmasq, $return);
-                if ($return == 0) {
-                    $status->addMessage('Successfully started dnsmasq', 'success');
-                    $dnsmasq_state = true;
-                } else {
-                    $status->addMessage('Failed to start dnsmasq', 'danger');
-                }
-            }
+        if ($dnsmasq_state) {
+            $status->addMessage('dnsmasq already running', 'info');
         } else {
-            error_log('CSRF violation');
+            exec('sudo /etc/init.d/dnsmasq start', $dnsmasq, $return);
+            if ($return == 0) {
+                $status->addMessage('Successfully started dnsmasq', 'success');
+                $dnsmasq_state = true;
+            } else {
+                $status->addMessage('Failed to start dnsmasq', 'danger');
+            }
         }
     } elseif (isset($_POST['stopdhcpd'])) {
-        if (CSRFValidate()) {
-            if ($dnsmasq_state) {
-                exec('sudo /etc/init.d/dnsmasq stop', $dnsmasq, $return);
-                if ($return == 0) {
-                    $status->addMessage('Successfully stopped dnsmasq', 'success');
-                    $dnsmasq_state = false;
-                } else {
-                    $status->addMessage('Failed to stop dnsmasq', 'danger');
-                }
+        if ($dnsmasq_state) {
+            exec('sudo /etc/init.d/dnsmasq stop', $dnsmasq, $return);
+            if ($return == 0) {
+                $status->addMessage('Successfully stopped dnsmasq', 'success');
+                $dnsmasq_state = false;
             } else {
-                $status->addMessage('dnsmasq already stopped', 'info');
+                $status->addMessage('Failed to stop dnsmasq', 'danger');
             }
         } else {
-            error_log('CSRF violation');
+            $status->addMessage('dnsmasq already stopped', 'info');
         }
     } else {
         if ($dnsmasq_state) {
diff --git a/includes/functions.php b/includes/functions.php
index 06ef2e0f..31286d73 100755
--- a/includes/functions.php
+++ b/includes/functions.php
@@ -54,17 +54,32 @@ function safefilerewrite($fileName, $dataToSave)
     }
 }
 
+/**
+* Saves a CSRF token in the session
+*/
+function ensureCSRFSessionToken()
+{
+    $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
+}
+
 /**
 *
 * Add CSRF Token to form
 *
 */
-function CSRFToken()
+function CSRFTokenFieldTag()
 {
-?>
-<input id="csrf_token" type="hidden" name="csrf_token" value="<?php echo htmlspecialchars($_SESSION['csrf_token'], ENT_QUOTES);
-; ?>" />
-<?php
+    $token = htmlspecialchars($_SESSION['csrf_token']);
+    return '<input type="hidden" name="csrf_token" value="' . $token . '">';
+}
+
+/**
+* Retuns a CSRF meta tag (for use with xhr, for example)
+*/
+function CSRFMetaTag()
+{
+    $token = htmlspecialchars($_SESSION['csrf_token']);
+    return '<meta name="csrf_token" content="' . $token . '">';
 }
 
 /**
@@ -74,7 +89,19 @@ function CSRFToken()
 */
 function CSRFValidate()
 {
-    if (hash_equals($_POST['csrf_token'], $_SESSION['csrf_token'])) {
+    $post_token   = $_POST['csrf_token'];
+    $header_token = $_SERVER['HTTP_X_CSRF_TOKEN'];
+
+    if (empty($post_token) && empty($header_token)) {
+        return false;
+    }
+
+    $request_token = $post_token;
+    if (empty($post_token)) {
+        $request_token = $header_token;
+    }
+
+    if (hash_equals($_SESSION['csrf_token'], $request_token)) {
         return true;
     } else {
         error_log('CSRF violation');
@@ -82,6 +109,26 @@ function CSRFValidate()
     }
 }
 
+/**
+* Should the request be CSRF-validated?
+*/
+function csrfValidateRequest()
+{
+  $request_method = strtolower($_SERVER['REQUEST_METHOD']);
+  return in_array($request_method, [ "post", "put", "patch", "delete" ]);
+}
+
+/**
+* Handle invalid CSRF
+*/
+function handleInvalidCSRFToken()
+{
+    header('HTTP/1.1 500 Internal Server Error');
+    header('Content-Type: text/plain');
+    echo 'Invalid CSRF token';
+    exit;
+}
+
 /**
 * Test whether array is associative
 */
diff --git a/includes/hostapd.php b/includes/hostapd.php
index 6912bd92..93f1fc6c 100755
--- a/includes/hostapd.php
+++ b/includes/hostapd.php
@@ -22,34 +22,22 @@ function DisplayHostAPDConfig()
     exec("ip -o link show | awk -F': ' '{print $2}'", $interfaces);
 
     if (isset($_POST['SaveHostAPDSettings'])) {
-        if (CSRFValidate()) {
-            SaveHostAPDConfig($arrSecurity, $arrEncType, $arr80211Standard, $interfaces, $status);
-        } else {
-            error_log('CSRF violation');
-        }
+        SaveHostAPDConfig($arrSecurity, $arrEncType, $arr80211Standard, $interfaces, $status);
     } elseif (isset($_POST['StartHotspot'])) {
-        if (CSRFValidate()) {
-            $status->addMessage('Attempting to start hotspot', 'info');
-            if ($arrHostapdConf['WifiAPEnable'] == 1) {
-                exec('sudo /etc/raspap/hostapd/servicestart.sh --interface uap0 --seconds 3', $return);
-            } else {
-                exec('sudo /etc/raspap/hostapd/servicestart.sh --seconds 5', $return);
-            }
-            foreach ($return as $line) {
-                $status->addMessage($line, 'info');
-            }
+        $status->addMessage('Attempting to start hotspot', 'info');
+        if ($arrHostapdConf['WifiAPEnable'] == 1) {
+            exec('sudo /etc/raspap/hostapd/servicestart.sh --interface uap0 --seconds 3', $return);
         } else {
-            error_log('CSRF violation');
+            exec('sudo /etc/raspap/hostapd/servicestart.sh --seconds 5', $return);
+        }
+        foreach ($return as $line) {
+            $status->addMessage($line, 'info');
         }
     } elseif (isset($_POST['StopHotspot'])) {
-        if (CSRFValidate()) {
-            $status->addMessage('Attempting to stop hotspot', 'info');
-            exec('sudo /etc/init.d/hostapd stop', $return);
-            foreach ($return as $line) {
-                $status->addMessage($line, 'info');
-            }
-        } else {
-            error_log('CSRF violation');
+        $status->addMessage('Attempting to stop hotspot', 'info');
+        exec('sudo /etc/init.d/hostapd stop', $return);
+        foreach ($return as $line) {
+            $status->addMessage($line, 'info');
         }
     }
 
@@ -95,7 +83,7 @@ function DisplayHostAPDConfig()
                 <div class="tab-pane fade in active" id="basic">
 
                 <h4><?php echo _("Basic settings") ;?></h4>
-                <?php CSRFToken() ?>
+                <?php echo CSRFTokenFieldTag() ?>
                 <div class="row">
                   <div class="form-group col-md-4">
                     <label for="cbxinterface"><?php echo _("Interface") ;?></label>
diff --git a/includes/networking.php b/includes/networking.php
index 9b728d06..9c330af7 100755
--- a/includes/networking.php
+++ b/includes/networking.php
@@ -16,8 +16,6 @@ function DisplayNetworkingConfig()
     foreach ($interfaces as $interface) {
         exec("ip a show $interface", $$interface);
     }
-
-    CSRFToken();
 ?>
 
 <div class="row">
diff --git a/includes/session.php b/includes/session.php
new file mode 100644
index 00000000..c9c36595
--- /dev/null
+++ b/includes/session.php
@@ -0,0 +1,5 @@
+<?php
+
+if (session_status() == PHP_SESSION_NONE) {
+  session_start();
+}
diff --git a/includes/system.php b/includes/system.php
index 4b27c1d9..617efba6 100755
--- a/includes/system.php
+++ b/includes/system.php
@@ -63,13 +63,9 @@ function DisplaySystem()
     $status = new StatusMessages();
 
     if (isset($_POST['SaveLanguage'])) {
-        if (CSRFValidate()) {
-            if (isset($_POST['locale'])) {
-                $_SESSION['locale'] = $_POST['locale'];
-                $status->addMessage('Language setting saved', 'success');
-            }
-        } else {
-            error_log('CSRF violation');
+        if (isset($_POST['locale'])) {
+            $_SESSION['locale'] = $_POST['locale'];
+            $status->addMessage('Language setting saved', 'success');
         }
     }
 
@@ -204,7 +200,7 @@ if (isset($_POST['system_shutdown'])) {
 
     <div role="tabpanel" class="tab-pane" id="language">
       <h4><?php echo _("Language settings") ;?></h4>
-        <?php CSRFToken() ?>
+        <?php echo CSRFTokenFieldTag() ?>
       <div class="row">
         <div class="form-group col-md-4">
           <label for="code"><?php echo _("Select a language"); ?></label>
diff --git a/index.php b/index.php
index df096b93..d797587a 100755
--- a/index.php
+++ b/index.php
@@ -18,7 +18,7 @@
  * @see        http://sirlagz.net/2013/02/08/raspap-webgui/
  */
 
-session_start();
+require('includes/csrf.php');
 
 include_once('includes/config.php');
 include_once(RASPI_CONFIG.'/raspap.php');
@@ -39,15 +39,6 @@ include_once('includes/about.php');
 $output = $return = 0;
 $page = $_GET['page'];
 
-if (empty($_SESSION['csrf_token'])) {
-    if (function_exists('mcrypt_create_iv')) {
-        $_SESSION['csrf_token'] = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM));
-    } else {
-        $_SESSION['csrf_token'] = bin2hex(openssl_random_pseudo_bytes(32));
-    }
-}
-$csrf_token = $_SESSION['csrf_token'];
-
 if (!isset($_COOKIE['theme'])) {
     $theme = "custom.css";
 } else {
@@ -60,6 +51,7 @@ $theme_url = 'dist/css/'.htmlspecialchars($theme, ENT_QUOTES);
 <html lang="en">
   <head>
     <meta charset="utf-8">
+    <?php echo CSRFMetaTag() ?>
     <meta http-equiv="X-UA-Compatible" content="IE=edge">
     <meta name="viewport" content="width=device-width, initial-scale=1">
     <meta name="description" content="">
diff --git a/js/custom.js b/js/custom.js
index 7d8875bf..01c355cf 100644
--- a/js/custom.js
+++ b/js/custom.js
@@ -19,7 +19,7 @@ function createNetmaskAddr(bitCount) {
 }
 
 function loadSummary(strInterface) {
-    $.post('/ajax/networking/get_ip_summary.php',{interface:strInterface,csrf_token:csrf},function(data){
+    $.post('/ajax/networking/get_ip_summary.php',{interface:strInterface},function(data){
         jsonData = JSON.parse(data);
         console.log(jsonData);
         if(jsonData['return'] == 0) {
@@ -50,7 +50,7 @@ function setupTabs() {
 }
 
 function loadCurrentSettings(strInterface) {
-    $.post('/ajax/networking/get_int_config.php',{interface:strInterface,csrf_token:csrf},function(data){
+    $.post('/ajax/networking/get_int_config.php',{interface:strInterface},function(data){
         jsonData = JSON.parse(data);
         $.each(jsonData['output'],function(i,v) {
             var int = v['interface'];
@@ -102,7 +102,6 @@ function saveNetworkSettings(int) {
             }
         });
         arrFormData['interface'] = int;
-        arrFormData['csrf_token'] = csrf;
         $.post('/ajax/networking/save_int_config.php',arrFormData,function(data){
             //console.log(data);
             var jsonData = JSON.parse(data);
@@ -113,7 +112,6 @@ function saveNetworkSettings(int) {
 function applyNetworkSettings() {
         var int = $(this).data('int');
         arrFormData = {};
-        arrFormData['csrf_token'] = csrf;
         arrFormData['generate'] = '';
         $.post('/ajax/networking/gen_int_config.php',arrFormData,function(data){
             console.log(data);
@@ -162,8 +160,22 @@ function setupBtns() {
     });
 }
 
-$().ready(function(){
-    csrf = $('#csrf_token').val();
+function setCSRFTokenHeader(event, xhr, settings) {
+    var csrfToken = $('meta[name=csrf_token]').attr('content');
+    if (/^(POST|PATCH|PUT|DELETE)$/i.test(settings.type)) {
+        xhr.setRequestHeader("X-CSRF-Token", csrfToken);
+    }
+}
+
+function updateCSRFTokens(event, xhr, settings) {
+    var newToken = xhr.getResponseHeader("X-CSRF-Token");
+    if (newToken) {
+        $('meta[name=csrf_token]').attr('content', newToken);
+        $('[name=csrf_token]:input').attr('value', newToken);
+    }
+}
+
+function contentLoaded() {
     pageCurrent = window.location.href.split("?")[1].split("=")[1];
     pageCurrent = pageCurrent.replace("#","");
     $('#side-menu').metisMenu();
@@ -174,6 +186,9 @@ $().ready(function(){
             setupBtns();
         break;
     }
-});
-
+}
 
+$(document)
+    .ajaxSend(setCSRFTokenHeader)
+    .ajaxComplete(updateCSRFTokens)
+    .ready(contentLoaded);