diff --git a/features/cerberusweb.core/templates/contacts/addresses/view.tpl b/features/cerberusweb.core/templates/contacts/addresses/view.tpl
@@ -33,6 +33,8 @@
 <input type="hidden" name="c" value="contacts">
 <input type="hidden" name="a" value="">
 <input type="hidden" name="explore_from" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
+
 <table cellpadding="1" cellspacing="0" border="0" width="100%" class="worklistBody">
 
 	{* Column Headers *}

diff --git a/features/cerberusweb.core/templates/contacts/orgs/bulk.tpl b/features/cerberusweb.core/templates/contacts/orgs/bulk.tpl
@@ -3,6 +3,7 @@
 <input type="hidden" name="a" value="doOrgBulkUpdate">
 <input type="hidden" name="view_id" value="{$view_id}">
 <input type="hidden" name="org_ids" value="{$org_ids}">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <fieldset class="peek">
 	<legend>{'common.bulk_update.with'|devblocks_translate|capitalize}</legend>

diff --git a/features/cerberusweb.core/templates/contacts/orgs/org_merge_continue_peek.tpl b/features/cerberusweb.core/templates/contacts/orgs/org_merge_continue_peek.tpl
@@ -6,6 +6,7 @@
 {foreach from=$orgs item=org key=org_id}
 <input type="hidden" name="org_id[]" value="{$org->id}">
 {/foreach}
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <table cellpadding="3" cellspacing="0" border="0">
 	{foreach from=$combinations item=combo key=property}

diff --git a/features/cerberusweb.core/templates/contacts/orgs/org_merge_peek.tpl b/features/cerberusweb.core/templates/contacts/orgs/org_merge_peek.tpl
@@ -3,6 +3,7 @@
 <input type="hidden" name="c" value="contacts">
 <input type="hidden" name="a" value="showOrgMergeContinuePeek">
 <input type="hidden" name="view_id" value="{$view_id}">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <b>Select organizations to merge:</b><br>
 <button type="button" class="chooser_orgs"><span class="glyphicons glyphicons-search"></span></button>

diff --git a/features/cerberusweb.core/templates/contacts/orgs/peek.tpl b/features/cerberusweb.core/templates/contacts/orgs/peek.tpl
@@ -19,6 +19,7 @@
 	<input type="hidden" name="link_context_id" value="{$link_context_id}">
 	{/if}
 	<input type="hidden" name="do_delete" value="0">
+	<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 	<fieldset class="peek">
 		<legend>{'common.properties'|devblocks_translate}</legend>

diff --git a/features/cerberusweb.core/templates/contacts/orgs/view.tpl b/features/cerberusweb.core/templates/contacts/orgs/view.tpl
@@ -32,6 +32,8 @@
 <input type="hidden" name="c" value="contacts">
 <input type="hidden" name="a" value="">
 <input type="hidden" name="explore_from" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
+
 <table cellpadding="1" cellspacing="0" border="0" width="100%" class="worklistBody">
 
 	{* Column Headers *}

diff --git a/features/cerberusweb.core/templates/contacts/people/bulk.tpl b/features/cerberusweb.core/templates/contacts/people/bulk.tpl
@@ -3,6 +3,7 @@
 <input type="hidden" name="a" value="doPeopleBulkUpdate">
 <input type="hidden" name="view_id" value="{$view_id}">
 <input type="hidden" name="ids" value="{$ids}">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <fieldset class="peek">
 	<legend>{'common.bulk_update.with'|devblocks_translate|capitalize}</legend>

diff --git a/features/cerberusweb.core/templates/contacts/people/peek.tpl b/features/cerberusweb.core/templates/contacts/people/peek.tpl
@@ -8,6 +8,7 @@
 <input type="hidden" name="context_id" value="{$context_id}">
 {/if}
 <input type="hidden" name="do_delete" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <fieldset class="peek">
 	<legend>{'common.properties'|devblocks_translate}</legend>

diff --git a/features/cerberusweb.core/templates/contacts/people/view.tpl b/features/cerberusweb.core/templates/contacts/people/view.tpl
@@ -32,6 +32,8 @@
 <input type="hidden" name="c" value="contacts">
 <input type="hidden" name="a" value="">
 <input type="hidden" name="explore_from" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
+
 <table cellpadding="1" cellspacing="0" border="0" width="100%" class="worklistBody">
 
 	{* Column Headers *}

diff --git a/features/cerberusweb.core/templates/context_links/choosers/__file.tpl b/features/cerberusweb.core/templates/context_links/choosers/__file.tpl
@@ -1,6 +1,7 @@
 <form action="{devblocks_url}{/devblocks_url}" method="POST" enctype="multipart/form-data" target="iframe_file_post" id="chooserFileUploadForm">
 <input type="hidden" name="c" value="internal">
 <input type="hidden" name="a" value="chooserOpenFileUpload">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <fieldset class="peek">
 	<legend>{if $single}{'common.upload.file'|devblocks_translate|capitalize}{else}{'common.upload.files'|devblocks_translate|capitalize}{/if}</legend>

diff --git a/features/cerberusweb.core/templates/context_links/choosers/__generic.tpl b/features/cerberusweb.core/templates/context_links/choosers/__generic.tpl
@@ -7,6 +7,7 @@
 {include file="devblocks:cerberusweb.core::internal/views/search_and_view.tpl" view=$view}
 
 <form action="#" method="POST" id="chooser{$view->id}" style="{if $single}display:none;{/if}}">
+	<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 	<b>Selected:</b>
 	<ul class="buffer bubbles"></ul>
 	<br>

diff --git a/features/cerberusweb.core/templates/display/modules/conversation/message.tpl b/features/cerberusweb.core/templates/display/modules/conversation/message.tpl
@@ -148,6 +148,7 @@
 		  		<input type="hidden" name="c" value="display">
 		  		<input type="hidden" name="a" value="">
 		  		<input type="hidden" name="id" value="{$message->id}">
+		  		<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 		  		<button type="button" onclick="document.frmPrint.action='{devblocks_url}c=print&a=message&id={$message->id}{/devblocks_url}';document.frmPrint.submit();"><span class="glyphicons glyphicons-print"></span> {'common.print'|devblocks_translate|capitalize}</button>
 

diff --git a/features/cerberusweb.core/templates/display/modules/history/index.tpl b/features/cerberusweb.core/templates/display/modules/history/index.tpl
@@ -3,6 +3,8 @@
 	<input type="hidden" name="c" value="display">
 	<input type="hidden" name="a" value="">
 	<input type="hidden" name="id" value="{$ticket->id}">
+	<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
+
 		<b>History for:</b> 
 		<label><input type="radio" name="scope" value="email" onclick="this.form.a.value='doTicketHistoryScope';this.form.submit();" {if empty($scope) || 'email'==$scope}checked="checked"{/if}> {'ticket.requesters'|devblocks_translate|capitalize}</label>
 		{if !empty($ticket->org_id)}<label><input type="radio" name="scope" value="org" onclick="this.form.a.value='doTicketHistoryScope';this.form.submit();" {if 'org'==$scope}checked="checked"{/if}> {'contact_org.name'|devblocks_translate|capitalize}</label>{/if}

diff --git a/features/cerberusweb.core/templates/display/rpc/add_note.tpl b/features/cerberusweb.core/templates/display/rpc/add_note.tpl
@@ -3,6 +3,7 @@
 <input type="hidden" name="a" value="doAddNote">
 <input type="hidden" name="id" value="{$message->id}">
 <input type="hidden" name="ticket_id" value="{$message->ticket_id}">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <div class="block" style="width:98%;margin:10px;">
 <table cellpadding="2" cellspacing="0" border="0" width="100%">

diff --git a/features/cerberusweb.core/templates/display/rpc/merge_panel.tpl b/features/cerberusweb.core/templates/display/rpc/merge_panel.tpl
@@ -2,6 +2,7 @@
 <input type="hidden" name="c" value="display">
 <input type="hidden" name="a" value="saveMergePanel">
 <input type="hidden" name="src_ticket_id" value="{$ticket_id}">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <b>Merge with tickets:</b><br>
 <button type="button" class="chooser_ticket"><span class="glyphicons glyphicons-search"></span></button>

diff --git a/features/cerberusweb.core/templates/display/rpc/relay_message.tpl b/features/cerberusweb.core/templates/display/rpc/relay_message.tpl
@@ -4,6 +4,7 @@
 <input type="hidden" name="c" value="display">
 <input type="hidden" name="a" value="saveRelayMessagePopup">
 <input type="hidden" name="id" value="{$message->id}">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <fieldset class="peek">
 	<legend>Message contents</legend>

diff --git a/features/cerberusweb.core/templates/display/rpc/reply.tpl b/features/cerberusweb.core/templates/display/rpc/reply.tpl
@@ -1,6 +1,7 @@
 <div class="block reply_frame" style="width:98%;margin:10px;">
 
 <form id="reply{$message->id}_part1" onsubmit="return false;">
+
 <table cellpadding="2" cellspacing="0" border="0" width="100%">
 	<tr>
 		<td><h2 style="color:rgb(50,50,50);">{if $is_forward}{'display.ui.forward'|devblocks_translate|capitalize}{else}{'display.ui.reply'|devblocks_translate|capitalize}{/if}</h2></td>
@@ -171,6 +172,7 @@
 <input type="hidden" name="cc" value="{$cc}">
 <input type="hidden" name="bcc" value="{$bcc}">
 <input type="hidden" name="subject" value="{$subject}">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 {if $is_forward}
 <textarea name="content" id="reply_{$message->id}" class="reply" style="width:98%;height:{$mail_reply_textbox_size_px|default:300}px;border:1px solid rgb(180,180,180);padding:5px;">

diff --git a/features/cerberusweb.core/templates/display/rpc/requester_panel.tpl b/features/cerberusweb.core/templates/display/rpc/requester_panel.tpl
@@ -2,6 +2,7 @@
 <input type="hidden" name="c" value="display">
 <input type="hidden" name="a" value="saveRequestersPanel">
 <input type="hidden" name="ticket_id" value="{$ticket_id}">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <b>{'display.ui.add_to_recipients'|devblocks_translate}:</b><br>
 <button type="button" class="chooser_address"><span class="glyphicons glyphicons-circle-plus" style="color:rgb(0,180,0);"></span></button>

diff --git a/features/cerberusweb.core/templates/groups/peek.tpl b/features/cerberusweb.core/templates/groups/peek.tpl
@@ -6,6 +6,7 @@
 <input type="hidden" name="view_id" value="{$view_id}">
 {if !empty($group) && !empty($group->id)}<input type="hidden" name="id" value="{$group->id}">{/if}
 <input type="hidden" name="do_delete" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <table cellpadding="2" cellspacing="0" border="0" width="98%">
 

diff --git a/features/cerberusweb.core/templates/groups/view.tpl b/features/cerberusweb.core/templates/groups/view.tpl
@@ -32,6 +32,8 @@
 <input type="hidden" name="section" value="group">
 <input type="hidden" name="action" value="">
 <input type="hidden" name="explore_from" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
+
 <table cellpadding="5" cellspacing="0" border="0" width="100%" class="worklistBody">
 
 	{* Column Headers *}

diff --git a/features/cerberusweb.core/templates/header.tpl b/features/cerberusweb.core/templates/header.tpl
@@ -5,6 +5,7 @@
 	<meta http-equiv="Cache-Control" content="no-cache">
 	<meta name="robots" content="noindex">
 	<meta name="googlebot" content="noindex">
+	<meta name="_csrf_token" content="{$session.csrf_token}">
 	<!--[if gte IE 9]>
 	<meta http-equiv="X-UA-Compatible" content="IE=Edge"/>
 	<![endif]-->

diff --git a/features/cerberusweb.core/templates/internal/activity_log/view.tpl b/features/cerberusweb.core/templates/internal/activity_log/view.tpl
@@ -27,6 +27,8 @@
 <input type="hidden" name="context_id" value="{$view_context}">
 <input type="hidden" name="c" value="internal">
 <input type="hidden" name="a" value="">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
+
 <table cellpadding="1" cellspacing="0" border="0" width="100%" class="worklistBody">
 
 	{* Column Headers *}

diff --git a/features/cerberusweb.core/templates/internal/bucket/peek.tpl b/features/cerberusweb.core/templates/internal/bucket/peek.tpl
@@ -6,6 +6,7 @@
 <input type="hidden" name="view_id" value="{$view_id}">
 {if !empty($bucket) && !empty($bucket->id)}<input type="hidden" name="id" value="{$bucket->id}">{/if}
 <input type="hidden" name="do_delete" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <table cellpadding="2" cellspacing="0" border="0" width="98%">
 	<tr>

diff --git a/features/cerberusweb.core/templates/internal/bucket/view.tpl b/features/cerberusweb.core/templates/internal/bucket/view.tpl
@@ -33,6 +33,8 @@
 <input type="hidden" name="section" value="bucket">
 <input type="hidden" name="action" value="">
 <input type="hidden" name="explore_from" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
+
 <table cellpadding="5" cellspacing="0" border="0" width="100%" class="worklistBody">
 
 	{* Column Headers *}

diff --git a/features/cerberusweb.core/templates/internal/calendar/peek.tpl b/features/cerberusweb.core/templates/internal/calendar/peek.tpl
@@ -6,6 +6,7 @@
 <input type="hidden" name="view_id" value="{$view_id}">
 {if !empty($model) && !empty($model->id)}<input type="hidden" name="id" value="{$model->id}">{/if}
 <input type="hidden" name="do_delete" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <table cellspacing="0" cellpadding="2" border="0" width="98%" style="margin-bottom:10px;">
 	<tr>

diff --git a/features/cerberusweb.core/templates/internal/calendar/tab_availability.tpl b/features/cerberusweb.core/templates/internal/calendar/tab_availability.tpl
@@ -1,11 +1,13 @@
 {$guid = uniqid()}
 
 {if empty($calendar) && $context == CerberusContexts::CONTEXT_WORKER && $context_id == $active_worker->id}
-<form action="{devblocks_url}{/devblocks_url}">
+<form action="{devblocks_url}{/devblocks_url}" method="post">
 <input type="hidden" name="c" value="profiles">
 <input type="hidden" name="a" value="handleSectionAction">
 <input type="hidden" name="section" value="worker">
 <input type="hidden" name="action" value="setAvailabilityCalendar">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
+
 <div class="help-box" style="padding:5px;border:0;">
 	<h1 style="margin-bottom:5px;text-align:left;">Configure your availability calendar</h1>
 

diff --git a/features/cerberusweb.core/templates/internal/calendar/view.tpl b/features/cerberusweb.core/templates/internal/calendar/view.tpl
@@ -33,6 +33,8 @@
 <input type="hidden" name="section" value="calendar">
 <input type="hidden" name="action" value="">
 <input type="hidden" name="explore_from" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
+
 <table cellpadding="1" cellspacing="0" border="0" width="100%" class="worklistBody">
 
 	{* Column Headers *}

diff --git a/features/cerberusweb.core/templates/internal/calendar_event/peek.tpl b/features/cerberusweb.core/templates/internal/calendar_event/peek.tpl
@@ -15,6 +15,7 @@
 <input type="hidden" name="link_context" value="{$link_context}">
 <input type="hidden" name="link_context_id" value="{$link_context_id}">
 {/if}
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <table cellpadding="0" cellspacing="2" border="0" width="98%">
 	<tr>

diff --git a/features/cerberusweb.core/templates/internal/calendar_event/view.tpl b/features/cerberusweb.core/templates/internal/calendar_event/view.tpl
@@ -30,6 +30,8 @@
 <input type="hidden" name="c" value="internal">
 <input type="hidden" name="a" value="">
 <input type="hidden" name="explore_from" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
+
 <table cellpadding="1" cellspacing="0" border="0" width="100%" class="worklistBody">
 
 	{* Column Headers *}

diff --git a/features/cerberusweb.core/templates/internal/calendar_recurring_profile/peek.tpl b/features/cerberusweb.core/templates/internal/calendar_recurring_profile/peek.tpl
@@ -9,6 +9,7 @@
 {/if}
 {if !empty($model) && !empty($model->id)}<input type="hidden" name="id" value="{$model->id}">{/if}
 <input type="hidden" name="do_delete" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <table cellpadding="0" cellspacing="2" border="0" width="98%">
 	<tr>

diff --git a/features/cerberusweb.core/templates/internal/calendar_recurring_profile/view.tpl b/features/cerberusweb.core/templates/internal/calendar_recurring_profile/view.tpl
@@ -33,6 +33,8 @@
 <input type="hidden" name="section" value="calendar_recurring_profile">
 <input type="hidden" name="action" value="">
 <input type="hidden" name="explore_from" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
+
 <table cellpadding="1" cellspacing="0" border="0" width="100%" class="worklistBody">
 
 	{* Column Headers *}

diff --git a/features/cerberusweb.core/templates/internal/comments/peek.tpl b/features/cerberusweb.core/templates/internal/comments/peek.tpl
@@ -3,6 +3,7 @@
 <input type="hidden" name="a" value="commentSavePopup">
 <input type="hidden" name="context" value="{$context}">
 <input type="hidden" name="context_id" value="{$context_id}">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <b>Author:</b> {$active_worker->getName()}
 <div>

diff --git a/features/cerberusweb.core/templates/internal/comments/view.tpl b/features/cerberusweb.core/templates/internal/comments/view.tpl
@@ -31,6 +31,8 @@
 <input type="hidden" name="section" value="comment">
 <input type="hidden" name="action" value="">
 <input type="hidden" name="explore_from" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
+
 <table cellpadding="1" cellspacing="0" border="0" width="100%" class="worklistBody">
 
 	{* Column Headers *}

diff --git a/features/cerberusweb.core/templates/internal/custom_fieldsets/peek.tpl b/features/cerberusweb.core/templates/internal/custom_fieldsets/peek.tpl
@@ -14,6 +14,7 @@
 <input type="hidden" name="id" value="{$custom_fieldset->id}">
 <input type="hidden" name="view_id" value="{$view_id}">
 <input type="hidden" name="do_delete" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <fieldset class="peek cfield-props">
 	<legend>{'common.properties'|devblocks_translate|capitalize}</legend>

diff --git a/features/cerberusweb.core/templates/internal/custom_fieldsets/view.tpl b/features/cerberusweb.core/templates/internal/custom_fieldsets/view.tpl
@@ -28,6 +28,8 @@
 <input type="hidden" name="context_id" value="cerberusweb.contexts.custom_fieldset">
 <input type="hidden" name="c" value="tickets">
 <input type="hidden" name="a" value="">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
+
 <table cellpadding="5" cellspacing="0" border="0" width="100%" class="worklistBody">
 
 	{* Column Headers *}

diff --git a/features/cerberusweb.core/templates/internal/decisions/editors/_move.tpl b/features/cerberusweb.core/templates/internal/decisions/editors/_move.tpl
@@ -3,6 +3,7 @@
 <input type="hidden" name="a" value="saveDecisionMovePopup">
 {if isset($node)}<input type="hidden" name="id" value="{$node->id}">{/if}
 {if isset($trigger)}<input type="hidden" name="trigger_id" value="{$trigger->id}">{/if}
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <fieldset>
 	<legend>Move</legend>

diff --git a/features/cerberusweb.core/templates/internal/decisions/editors/_reorder.tpl b/features/cerberusweb.core/templates/internal/decisions/editors/_reorder.tpl
@@ -3,6 +3,7 @@
 <input type="hidden" name="a" value="saveDecisionReorderPopup">
 {if isset($node)}<input type="hidden" name="id" value="{$node->id}">{/if}
 {if isset($trigger)}<input type="hidden" name="trigger_id" value="{$trigger->id}">{/if}
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <fieldset>
 	<legend>{if !empty($node)}{$node->title}{elseif !empty($trigger)}{$trigger->event_point}{/if}</legend>

diff --git a/features/cerberusweb.core/templates/internal/decisions/editors/action.tpl b/features/cerberusweb.core/templates/internal/decisions/editors/action.tpl
@@ -5,6 +5,7 @@
 {if isset($parent_id)}<input type="hidden" name="parent_id" value="{$parent_id}">{/if}
 {if isset($type)}<input type="hidden" name="type" value="{$type}">{/if}
 {if isset($trigger_id)}<input type="hidden" name="trigger_id" value="{$trigger_id}">{/if}
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <b>{'common.title'|devblocks_translate|capitalize}:</b><br>
 <input type="text" name="title" value="{$model->title}" style="width:100%;"><br>
@@ -69,6 +70,8 @@
 <input type="hidden" name="seq" value="{if !is_null($seq)}{$seq+1}{else}0{/if}">
 <input type="hidden" name="action" value="">
 {if isset($trigger_id)}<input type="hidden" name="trigger_id" value="{$trigger_id}">{/if}
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
+
 <fieldset>
 	<legend>Add Action</legend>
 

diff --git a/features/cerberusweb.core/templates/internal/decisions/editors/outcome.tpl b/features/cerberusweb.core/templates/internal/decisions/editors/outcome.tpl
@@ -5,6 +5,7 @@
 {if isset($parent_id)}<input type="hidden" name="parent_id" value="{$parent_id}">{/if}
 {if isset($type)}<input type="hidden" name="type" value="{$type}">{/if}
 {if isset($trigger_id)}<input type="hidden" name="trigger_id" value="{$trigger_id}">{/if}
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <b>{'common.title'|devblocks_translate|capitalize}:</b><br>
 <input type="text" name="title" value="{$model->title}" style="width:100%;"><br>
@@ -80,6 +81,8 @@
 <input type="hidden" name="seq" value="{$seq}">
 <input type="hidden" name="condition" value="">
 {if isset($trigger_id)}<input type="hidden" name="trigger_id" value="{$trigger_id}">{/if}
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
+
 <fieldset>
 	<legend>Add Condition</legend>
 

diff --git a/features/cerberusweb.core/templates/internal/decisions/editors/simulate.tpl b/features/cerberusweb.core/templates/internal/decisions/editors/simulate.tpl
@@ -4,6 +4,7 @@
 {if isset($node)}<input type="hidden" name="id" value="{$node->id}">{/if}
 {if isset($trigger)}<input type="hidden" name="trigger_id" value="{$trigger->id}">{/if}
 <input type="hidden" name="event_params_json" value="{$event_params_json}">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 {* Target *}
 

diff --git a/features/cerberusweb.core/templates/internal/decisions/editors/switch.tpl b/features/cerberusweb.core/templates/internal/decisions/editors/switch.tpl
@@ -5,6 +5,7 @@
 {if isset($parent_id)}<input type="hidden" name="parent_id" value="{$parent_id}">{/if}
 {if isset($type)}<input type="hidden" name="type" value="{$type}">{/if}
 {if isset($trigger_id)}<input type="hidden" name="trigger_id" value="{$trigger_id}">{/if}
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <b>{'common.title'|devblocks_translate|capitalize}:</b><br>
 <input type="text" name="title" value="{$model->title}" style="width:100%;"><br>

diff --git a/features/cerberusweb.core/templates/internal/decisions/editors/trigger.tpl b/features/cerberusweb.core/templates/internal/decisions/editors/trigger.tpl
@@ -7,6 +7,7 @@
 {if empty($trigger->id)}
 <input type="hidden" name="va_id" value="{$va->id}">
 {/if}
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <div>
 	<b>{'common.title'|devblocks_translate|capitalize}:</b><br>
@@ -116,6 +117,7 @@
 		<input type="hidden" name="c" value="internal">
 		<input type="hidden" name="a" value="">
 		<input type="hidden" name="va_id" value="{$va->id}">
+		<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 		<div class="import">
 			<b>Import:</b> (.json format)

diff --git a/features/cerberusweb.core/templates/internal/file_bundle/peek.tpl b/features/cerberusweb.core/templates/internal/file_bundle/peek.tpl
@@ -6,6 +6,7 @@
 <input type="hidden" name="view_id" value="{$view_id}">
 {if !empty($model) && !empty($model->id)}<input type="hidden" name="id" value="{$model->id}">{/if}
 <input type="hidden" name="do_delete" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <fieldset class="peek">
 	<legend>{'common.properties'|devblocks_translate}</legend>

diff --git a/features/cerberusweb.core/templates/internal/file_bundle/view.tpl b/features/cerberusweb.core/templates/internal/file_bundle/view.tpl
@@ -33,6 +33,8 @@
 <input type="hidden" name="section" value="file_bundle">
 <input type="hidden" name="action" value="">
 <input type="hidden" name="explore_from" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
+
 <table cellpadding="1" cellspacing="0" border="0" width="100%" class="worklistBody">
 
 	{* Column Headers *}

diff --git a/features/cerberusweb.core/templates/internal/import/popup_mapping.tpl b/features/cerberusweb.core/templates/internal/import/popup_mapping.tpl
@@ -4,6 +4,7 @@
 <input type="hidden" name="a" value="doImport">
 <input type="hidden" name="context" value="{$context}">
 <input type="hidden" name="view_id" value="{$view_id}">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <fieldset>
 	<legend>Associate Fields with Import Columns</legend>

diff --git a/features/cerberusweb.core/templates/internal/import/popup_upload.tpl b/features/cerberusweb.core/templates/internal/import/popup_upload.tpl
@@ -3,6 +3,7 @@
 <input type="hidden" name="a" value="parseImportFile">
 <input type="hidden" name="context" value="{$context}">
 <input type="hidden" name="view_id" value="{$view_id}">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <fieldset>
 	<legend>Upload File</legend>

diff --git a/features/cerberusweb.core/templates/internal/macros/display/scheduler_popup.tpl b/features/cerberusweb.core/templates/internal/macros/display/scheduler_popup.tpl
@@ -12,6 +12,7 @@
 <input type="hidden" name="a" value="saveMacroSchedulerPopup">
 <input type="hidden" name="job_id" value="{$job->id}">
 {/if}
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <b>Behavior:</b><br>
 {if !empty($macro->title)}

diff --git a/features/cerberusweb.core/templates/internal/macros/reply/run_popup.tpl b/features/cerberusweb.core/templates/internal/macros/reply/run_popup.tpl
@@ -4,6 +4,7 @@
 <input type="hidden" name="macro" value="{$macro->id}">
 <input type="hidden" name="ticket_id" value="{$ticket_id}">
 <input type="hidden" name="message_id" value="{$message_id}">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <b>Behavior:</b><br>
 {if !empty($macro->title)}

diff --git a/features/cerberusweb.core/templates/internal/mail_transport/peek.tpl b/features/cerberusweb.core/templates/internal/mail_transport/peek.tpl
@@ -2,6 +2,7 @@
 <input type="hidden" name="view_id" value="{$view_id}">
 {if !empty($model) && !empty($model->id)}<input type="hidden" name="id" value="{$model->id}">{/if}
 <input type="hidden" name="do_delete" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <fieldset class="peek" style="margin-bottom:0px;">
 	<legend>{'common.properties'|devblocks_translate}</legend>

diff --git a/features/cerberusweb.core/templates/internal/mail_transport/view.tpl b/features/cerberusweb.core/templates/internal/mail_transport/view.tpl
@@ -32,6 +32,8 @@
 <input type="hidden" name="section" value="mail_transport">
 <input type="hidden" name="action" value="">
 <input type="hidden" name="explore_from" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
+
 <table cellpadding="5" cellspacing="0" border="0" width="100%" class="worklistBody">
 
 	{* Column Headers *}

diff --git a/features/cerberusweb.core/templates/internal/mailbox/peek.tpl b/features/cerberusweb.core/templates/internal/mailbox/peek.tpl
@@ -6,6 +6,7 @@
 <input type="hidden" name="view_id" value="{$view_id}">
 {if !empty($model) && !empty($model->id)}<input type="hidden" name="id" value="{$model->id}">{/if}
 <input type="hidden" name="do_delete" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <fieldset class="peek">
 	<legend>{'common.properties'|devblocks_translate}</legend>

diff --git a/features/cerberusweb.core/templates/internal/mailbox/view.tpl b/features/cerberusweb.core/templates/internal/mailbox/view.tpl
@@ -33,6 +33,8 @@
 <input type="hidden" name="section" value="mailbox">
 <input type="hidden" name="action" value="">
 <input type="hidden" name="explore_from" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
+
 <table cellpadding="1" cellspacing="0" border="0" width="100%" class="worklistBody">
 
 	{* Column Headers *}

diff --git a/features/cerberusweb.core/templates/internal/messages/peek.tpl b/features/cerberusweb.core/templates/internal/messages/peek.tpl
@@ -4,6 +4,7 @@
 <input type="hidden" name="view_id" value="{$view_id}">
 {if !empty($model) && !empty($model->id)}<input type="hidden" name="id" value="{$model->id}">{/if}
 <input type="hidden" name="do_delete" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 {$ticket = $model->getTicket()}
 {$headers = $model->getHeaders()}

diff --git a/features/cerberusweb.core/templates/internal/recommendations/context_recommend_peek.tpl b/features/cerberusweb.core/templates/internal/recommendations/context_recommend_peek.tpl
@@ -13,6 +13,7 @@
 	<input type="hidden" name="context_id" value="{$context_id}">
 	<input type="hidden" name="group_id" value="{$group_id}">
 	<input type="hidden" name="bucket_id" value="{$bucket_id}">
+	<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 	<div style="margin-bottom:10px;">
 	{include file="devblocks:cerberusweb.core::internal/workers/worker_picker_container.tpl" context=$context context_id=$context_id}

diff --git a/features/cerberusweb.core/templates/internal/responsibilities/peek_by_group_editable.tpl b/features/cerberusweb.core/templates/internal/responsibilities/peek_by_group_editable.tpl
@@ -5,6 +5,7 @@
 <input type="hidden" name="action" value="saveResponsibilitiesPopup">
 <input type="hidden" name="context" value="{CerberusContexts::CONTEXT_GROUP}">
 <input type="hidden" name="context_id" value="{$group->id}">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 {foreach from=$buckets item=bucket}
 	<fieldset class="peek cerb-delta-slider-container" style="display:inline-block;">

diff --git a/features/cerberusweb.core/templates/internal/skills/peek.tpl b/features/cerberusweb.core/templates/internal/skills/peek.tpl
@@ -6,6 +6,7 @@
 <input type="hidden" name="view_id" value="{$view_id}">
 {if !empty($model) && !empty($model->id)}<input type="hidden" name="id" value="{$model->id}">{/if}
 <input type="hidden" name="do_delete" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <fieldset class="peek">
 	<legend>{'common.properties'|devblocks_translate}</legend>

diff --git a/features/cerberusweb.core/templates/internal/skills/view.tpl b/features/cerberusweb.core/templates/internal/skills/view.tpl
@@ -33,6 +33,8 @@
 <input type="hidden" name="section" value="skill">
 <input type="hidden" name="action" value="">
 <input type="hidden" name="explore_from" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
+
 <table cellpadding="5" cellspacing="0" border="0" width="100%" class="worklistBody">
 
 	{* Column Headers *}

diff --git a/features/cerberusweb.core/templates/internal/skillsets/chooser_popup.tpl b/features/cerberusweb.core/templates/internal/skillsets/chooser_popup.tpl
@@ -5,6 +5,7 @@
 <input type="hidden" name="action" value="saveSkillsForContext">
 <input type="hidden" name="context" value="{$context}">
 <input type="hidden" name="context_id" value="{$context_id}">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 {include file="devblocks:cerberusweb.core::internal/skillsets/fieldsets_and_menu.tpl" skill_labels=$skill_labels skillsets_linked=$skillsets}
 

diff --git a/features/cerberusweb.core/templates/internal/skillsets/peek.tpl b/features/cerberusweb.core/templates/internal/skillsets/peek.tpl
@@ -6,6 +6,7 @@
 <input type="hidden" name="view_id" value="{$view_id}">
 {if !empty($model) && !empty($model->id)}<input type="hidden" name="id" value="{$model->id}">{/if}
 <input type="hidden" name="do_delete" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <fieldset class="peek">
 	<legend>{'common.properties'|devblocks_translate}</legend>

diff --git a/features/cerberusweb.core/templates/internal/skillsets/tab_editable.tpl b/features/cerberusweb.core/templates/internal/skillsets/tab_editable.tpl
@@ -6,6 +6,7 @@
 <input type="hidden" name="action" value="saveSkillsForContext">
 <input type="hidden" name="context" value="{$context}">
 <input type="hidden" name="context_id" value="{$context_id}">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 {include file="devblocks:cerberusweb.core::internal/skillsets/fieldsets_and_menu.tpl" skill_labels=$skill_labels skillsets_linked=$skillsets}
 

diff --git a/features/cerberusweb.core/templates/internal/skillsets/view.tpl b/features/cerberusweb.core/templates/internal/skillsets/view.tpl
@@ -33,6 +33,8 @@
 <input type="hidden" name="section" value="skillset">
 <input type="hidden" name="action" value="">
 <input type="hidden" name="explore_from" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
+
 <table cellpadding="5" cellspacing="0" border="0" width="100%" class="worklistBody">
 
 	{* Column Headers *}

diff --git a/features/cerberusweb.core/templates/internal/snippets/bulk.tpl b/features/cerberusweb.core/templates/internal/snippets/bulk.tpl
@@ -3,6 +3,7 @@
 <input type="hidden" name="a" value="doSnippetBulkUpdate">
 <input type="hidden" name="view_id" value="{$view_id}">
 <input type="hidden" name="ids" value="{$ids}">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <fieldset class="peek">
 	<legend>{'common.bulk_update.with'|devblocks_translate|capitalize}</legend>

diff --git a/features/cerberusweb.core/templates/internal/snippets/paste_placeholders.tpl b/features/cerberusweb.core/templates/internal/snippets/paste_placeholders.tpl
@@ -3,6 +3,7 @@
 <input type="hidden" name="a" value="snippetPlaceholdersPreview">
 <input type="hidden" name="id" value="{$snippet->id}">
 <input type="hidden" name="context_id" value="{$context_id}">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <fieldset class="peek" style="margin-bottom:5px;">
 	<legend>Fill in the blanks:</legend>

diff --git a/features/cerberusweb.core/templates/internal/snippets/peek.tpl b/features/cerberusweb.core/templates/internal/snippets/peek.tpl
@@ -4,6 +4,7 @@
 <input type="hidden" name="id" value="{$snippet->id}">
 <input type="hidden" name="view_id" value="{$view_id}">
 <input type="hidden" name="do_delete" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <fieldset class="peek">
 	<legend>{'common.properties'|devblocks_translate|capitalize}</legend>

diff --git a/features/cerberusweb.core/templates/internal/snippets/views/default.tpl b/features/cerberusweb.core/templates/internal/snippets/views/default.tpl
@@ -29,6 +29,8 @@
 <input type="hidden" name="context_id" value="cerberusweb.contexts.snippet">
 <input type="hidden" name="c" value="tickets">
 <input type="hidden" name="a" value="">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
+
 <table cellpadding="5" cellspacing="0" border="0" width="100%" class="worklistBody">
 
 	{* Column Headers *}

diff --git a/features/cerberusweb.core/templates/internal/tour/banner.tpl b/features/cerberusweb.core/templates/internal/tour/banner.tpl
@@ -11,6 +11,7 @@
 			<form action="{devblocks_url}{/devblocks_url}" method="post" name="tourForm">
 				<input type="hidden" name="c" value="internal">
 				<input type="hidden" name="a" value="doStopTour">
+				<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 				<a href="javascript:;" onclick="$('#tourDiv').fadeOut();genericAjaxGet('','c=internal&a=doStopTour');">hide this</a>
 				&nbsp;
 			</form>

diff --git a/features/cerberusweb.core/templates/internal/va/peek.tpl b/features/cerberusweb.core/templates/internal/va/peek.tpl
@@ -6,6 +6,7 @@
 <input type="hidden" name="view_id" value="{$view_id}">
 {if !empty($model) && !empty($model->id)}<input type="hidden" name="id" value="{$model->id}">{/if}
 <input type="hidden" name="do_delete" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <fieldset class="peek">
 	<legend>{'common.properties'|devblocks_translate}</legend>

diff --git a/features/cerberusweb.core/templates/internal/va/scheduled_behavior/view.tpl b/features/cerberusweb.core/templates/internal/va/scheduled_behavior/view.tpl
@@ -20,6 +20,8 @@
 <input type="hidden" name="context_id" value="cerberusweb.contexts.group">
 <input type="hidden" name="c" value="config">
 <input type="hidden" name="a" value="">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
+
 <table cellpadding="5" cellspacing="0" border="0" width="100%" class="worklistBody">
 
 	{* Column Headers *}

diff --git a/features/cerberusweb.core/templates/internal/va/view.tpl b/features/cerberusweb.core/templates/internal/va/view.tpl
@@ -33,6 +33,8 @@
 <input type="hidden" name="section" value="virtual_attendant">
 <input type="hidden" name="action" value="">
 <input type="hidden" name="explore_from" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
+
 <table cellpadding="1" cellspacing="0" border="0" width="100%" class="worklistBody">
 
 	{* Column Headers *}

diff --git a/features/cerberusweb.core/templates/internal/views/copy.tpl b/features/cerberusweb.core/templates/internal/views/copy.tpl
@@ -1,5 +1,6 @@
 <form action="{devblocks_url}{/devblocks_url}" method="post" id="frmCopy{$view->id}" onsubmit="return false;">
 <input type="hidden" name="view_id" value="{$view_id}">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <H2>Copy Worklist</H2>
 

diff --git a/features/cerberusweb.core/templates/internal/views/search_and_view.tpl b/features/cerberusweb.core/templates/internal/views/search_and_view.tpl
@@ -3,6 +3,7 @@
 <input type="hidden" name="c" value="internal">
 <input type="hidden" name="a" value="">
 <input type="hidden" name="id" value="{$view->id}">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <div id="viewCustomFilters{$view->id}">
 {include file="devblocks:cerberusweb.core::internal/views/customize_view_criteria.tpl"}

diff --git a/features/cerberusweb.core/templates/internal/views/view_export.tpl b/features/cerberusweb.core/templates/internal/views/view_export.tpl
@@ -3,6 +3,7 @@
 <input type="hidden" name="a" value="viewDoExport">
 <input type="hidden" name="view_id" value="{$view_id}">
 <input type="hidden" name="cursor_key" value="">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <div class="export-settings">
 

diff --git a/features/cerberusweb.core/templates/internal/watchers/context_follow_peek.tpl b/features/cerberusweb.core/templates/internal/watchers/context_follow_peek.tpl
@@ -13,6 +13,7 @@
 	<input type="hidden" name="context_id" value="{$context_id}">
 	<input type="hidden" name="group_id" value="{$group_id}">
 	<input type="hidden" name="bucket_id" value="{$bucket_id}">
+	<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 	<div style="margin-bottom:10px;">
 	{include file="devblocks:cerberusweb.core::internal/workers/worker_picker_container.tpl" context=$context context_id=$context_id}

diff --git a/features/cerberusweb.core/templates/internal/workspaces/tabs/calendar/tab.tpl b/features/cerberusweb.core/templates/internal/workspaces/tabs/calendar/tab.tpl
@@ -13,6 +13,8 @@
 {$guid = uniqid()}
 
 <form id="frm{$guid}" action="#" style="margin-bottom:5px;width:98%;">
+	<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
+
 	<div style="float:left;">
 		<span style="font-weight:bold;font-size:150%;">{$calendar_properties.calendar_date|devblocks_date:'F Y'}</span>
 		<span style="margin-left:10px;">

diff --git a/features/cerberusweb.core/templates/internal/workspaces/tabs/worklists/tab.tpl b/features/cerberusweb.core/templates/internal/workspaces/tabs/worklists/tab.tpl
@@ -1,5 +1,6 @@
 {if empty($worklists)}
 <form action="#" onsubmit="return false;">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 <div class="help-box" style="padding:5px;border:0;">
 	<h1 style="margin-bottom:5px;text-align:left;">Let's put this workspace to good use</h1>
 

diff --git a/features/cerberusweb.core/templates/internal/workspaces/widgets/add.tpl b/features/cerberusweb.core/templates/internal/workspaces/widgets/add.tpl
@@ -11,6 +11,7 @@
 		<input type="hidden" name="section" value="dashboards">
 		<input type="hidden" name="action" value="addWidgetPopupJson">
 		<input type="hidden" name="workspace_tab_id" value="{$workspace_tab_id}">
+		<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 		<b>Type:</b>
 		<select name="extension_id">
@@ -32,6 +33,7 @@
 		<input type="hidden" name="section" value="dashboards">
 		<input type="hidden" name="action" value="addWidgetImportJson">
 		<input type="hidden" name="workspace_tab_id" value="{$workspace_tab_id}">
+		<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 		<div class="import">
 			<b>Import:</b> (.json format)

diff --git a/features/cerberusweb.core/templates/internal/workspaces/widgets/calendar/calendar.tpl b/features/cerberusweb.core/templates/internal/workspaces/widgets/calendar/calendar.tpl
@@ -1,6 +1,8 @@
 {$guid = uniqid()}
 
 <form id="frm{$guid}" action="#" style="margin-bottom:5px;width:98%;">
+	<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
+
 	<div style="float:left;">
 		<span style="font-weight:bold;font-size:150%;">{$calendar_properties.calendar_date|devblocks_date:'F Y'}</span>
 	</div>

diff --git a/features/cerberusweb.core/templates/internal/workspaces/widgets/export.tpl b/features/cerberusweb.core/templates/internal/workspaces/widgets/export.tpl
@@ -1,4 +1,5 @@
 <form action="javascript:;" method="post" id="frmWidgetExport" onsubmit="return false;">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <b>Widget:</b>
 

diff --git a/features/cerberusweb.core/templates/internal/workspaces/widgets/export_data.tpl b/features/cerberusweb.core/templates/internal/workspaces/widgets/export_data.tpl
@@ -1,4 +1,5 @@
 <form action="javascript:;" method="post" id="frmWidgetExportData" onsubmit="return false;">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <b>Widget:</b>
 

diff --git a/features/cerberusweb.core/templates/internal/workspaces/widgets/peek.tpl b/features/cerberusweb.core/templates/internal/workspaces/widgets/peek.tpl
@@ -5,6 +5,7 @@
 <input type="hidden" name="action" value="saveWidgetPopup">
 {if !empty($widget) && !empty($widget->id)}<input type="hidden" name="id" value="{$widget->id}">{/if}
 <input type="hidden" name="do_delete" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <table width="100%" cellpadding="0" cellspacing="2">
 	{if $extension instanceof Extension_WorkspaceWidget}

diff --git a/features/cerberusweb.core/templates/mail/queue/bulk.tpl b/features/cerberusweb.core/templates/mail/queue/bulk.tpl
@@ -5,6 +5,7 @@
 <input type="hidden" name="action" value="doDraftsBulkUpdate">
 <input type="hidden" name="view_id" value="{$view_id}">
 <input type="hidden" name="ids" value="{$ids}">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <fieldset class="peek">
 	<legend>{'common.bulk_update.with'|devblocks_translate|capitalize}</legend>

diff --git a/features/cerberusweb.core/templates/mail/queue/peek.tpl b/features/cerberusweb.core/templates/mail/queue/peek.tpl
@@ -6,6 +6,7 @@
 <input type="hidden" name="id" value="{$draft->id}">
 <input type="hidden" name="view_id" value="{$view_id}">
 <input type="hidden" name="do_delete" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <table cellpadding="0" cellspacing="2" border="0" width="98%">
 	{if is_null($workers)}{$workers = DAO_Worker::getAll()}{/if}

diff --git a/features/cerberusweb.core/templates/mail/queue/view.tpl b/features/cerberusweb.core/templates/mail/queue/view.tpl
@@ -25,6 +25,8 @@
 <input type="hidden" name="section" value="drafts">
 <input type="hidden" name="action" value="">
 <input type="hidden" name="explore_from" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
+
 <table cellpadding="1" cellspacing="0" border="0" width="100%" class="worklistBody">
 
 	{* Column Headers *}

diff --git a/features/cerberusweb.core/templates/mail/section/compose/peek.tpl b/features/cerberusweb.core/templates/mail/section/compose/peek.tpl
@@ -14,6 +14,7 @@
 <input type="hidden" name="link_context_id" value="{$draft->params.link_context_id}">
 {/if}
 <input type="hidden" name="format" value="{if ($draft && $draft->params.format == 'parsedown') || $mail_reply_html}parsedown{/if}">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <fieldset class="peek">
 	<legend>{'common.message'|devblocks_translate|capitalize}</legend>

diff --git a/features/cerberusweb.core/templates/messages/view.tpl b/features/cerberusweb.core/templates/messages/view.tpl
@@ -26,6 +26,8 @@
 <input type="hidden" name="c" value="tickets">
 <input type="hidden" name="a" value="">
 <input type="hidden" name="explore_from" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
+
 <table cellpadding="1" cellspacing="0" border="0" width="100%" class="worklistBody">
 
 	{* Column Headers *}

diff --git a/features/cerberusweb.core/templates/pages/add_tabs.tpl b/features/cerberusweb.core/templates/pages/add_tabs.tpl
@@ -28,6 +28,8 @@
 <input type="hidden" name="a" value="doAddCustomTabJson">
 <input type="hidden" name="page_id" value="{$page->id}">
 <input type="hidden" name="len" value="99">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
+
 <fieldset class="peek">
 	<legend>Add a new tab:</legend>
 

diff --git a/features/cerberusweb.core/templates/pages/edit_workspace_page.tpl b/features/cerberusweb.core/templates/pages/edit_workspace_page.tpl
@@ -6,6 +6,7 @@
 <input type="hidden" name="id" value="{$workspace_page->id|default:0}">
 <input type="hidden" name="view_id" value="{$view_id}">
 {if !empty($workspace_page)}<input type="hidden" name="do_delete" value="0">{/if}
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <table cellpadding="2" cellspacing="0" border="0" width="100%" style="margin-bottom:5px;">
 	<tr>
@@ -118,6 +119,7 @@
 		<input type="hidden" name="c" value="pages">
 		<input type="hidden" name="a" value="importWorkspacePageJson">
 		<input type="hidden" name="view_id" value="{$view_id}">
+		<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 		<div class="import">
 			<b>Import:</b> (.json format)

diff --git a/features/cerberusweb.core/templates/pages/edit_workspace_tab.tpl b/features/cerberusweb.core/templates/pages/edit_workspace_tab.tpl
@@ -4,6 +4,7 @@
 <input type="hidden" name="id" value="{$workspace_tab->id}">
 <input type="hidden" name="workspace_page_id" value="{$workspace_tab->workspace_page_id}">
 {if !empty($workspace_tab)}<input type="hidden" name="do_delete" value="0">{/if}
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <table cellpadding="2" cellspacing="0" border="0" width="100%" style="margin-bottom:5px;">
 	<tr>

diff --git a/features/cerberusweb.core/templates/pages/page.tpl b/features/cerberusweb.core/templates/pages/page.tpl
@@ -1,6 +1,7 @@
 <form action="{devblocks_url}{/devblocks_url}" id="frmWorkspacePage{$page->id}" method="POST" style="margin-top:5px;">
 	<input type="hidden" name="c" value="internal">
 	<input type="hidden" name="a" value="">
+	<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 	{$menu_json = DAO_WorkerPref::get($active_worker->id, 'menu_json', json_encode(array()))}
 	{$menu = json_decode($menu_json, true)}

diff --git a/features/cerberusweb.core/templates/pages/view.tpl b/features/cerberusweb.core/templates/pages/view.tpl
@@ -26,6 +26,8 @@
 <input type="hidden" name="context_id" value="">
 <input type="hidden" name="c" value="pages">
 <input type="hidden" name="a" value="">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
+
 <table cellpadding="1" cellspacing="0" border="0" width="100%" class="worklistBody">
 
 	{* Column Headers *}

diff --git a/features/cerberusweb.core/templates/pages/wizard_popup.tpl b/features/cerberusweb.core/templates/pages/wizard_popup.tpl
@@ -2,6 +2,7 @@
 <input type="hidden" name="c" value="pages">
 <input type="hidden" name="a" value="savePageWizardPopup">
 <input type="hidden" name="view_id" value="{$view_id}">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <fieldset class="peek">
 	<legend style="color:rgb(80,80,80);">What kind of page would you like to create?</legend>

diff --git a/features/cerberusweb.core/templates/preferences/modules/general.tpl b/features/cerberusweb.core/templates/preferences/modules/general.tpl
@@ -1,6 +1,7 @@
 <form action="{devblocks_url}{/devblocks_url}" method="post">
 <input type="hidden" name="c" value="preferences">
 <input type="hidden" name="a" value="saveDefaults">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <fieldset class="peek">
 	<legend>{'preferences.account.settings'|devblocks_translate|capitalize}</legend>
@@ -148,4 +149,5 @@
 <input type="hidden" name="c" value="preferences">
 <input type="hidden" name="a" value="resendConfirmation">
 <input type="hidden" name="email" value="">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 </form>
diff --git a/features/cerberusweb.core/templates/preferences/modules/security.tpl b/features/cerberusweb.core/templates/preferences/modules/security.tpl
@@ -1,6 +1,7 @@
 <form action="{devblocks_url}{/devblocks_url}" method="POST" autocomplete="off">
 <input type="hidden" name="c" value="preferences">
 <input type="hidden" name="a" value="saveSecurityTab">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <div class="help-box">
 	<h1>Set up your secret questions</h1>

diff --git a/features/cerberusweb.core/templates/preferences/tabs/notifications/bulk.tpl b/features/cerberusweb.core/templates/preferences/tabs/notifications/bulk.tpl
@@ -3,6 +3,7 @@
 <input type="hidden" name="a" value="doNotificationsBulkUpdate">
 <input type="hidden" name="view_id" value="{$view_id}">
 <input type="hidden" name="ids" value="{$ids}">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <fieldset class="peek">
 	<legend>{'common.bulk_update.with'|devblocks_translate|capitalize}</legend>

diff --git a/features/cerberusweb.core/templates/preferences/tabs/notifications/view.tpl b/features/cerberusweb.core/templates/preferences/tabs/notifications/view.tpl
@@ -25,6 +25,8 @@
 <input type="hidden" name="c" value="preferences">
 <input type="hidden" name="a" value="">
 <input type="hidden" name="explore_from" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
+
 <table cellpadding="5" cellspacing="0" border="0" width="100%" class="worklistBody">
 
 	{* Column Headers *}

diff --git a/features/cerberusweb.core/templates/preferences/tabs/watcher/index.tpl b/features/cerberusweb.core/templates/preferences/tabs/watcher/index.tpl
@@ -1,6 +1,7 @@
 <form action="{devblocks_url}{/devblocks_url}" method="POST" id="frmWatcherPrefs">
 <input type="hidden" name="c" value="preferences">
 <input type="hidden" name="a" value="saveWatcherTab">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <fieldset class="peek">
 <legend>If I'm watching something, send me a notification when these events happen:</legend>

diff --git a/features/cerberusweb.core/templates/search/quick_search.tpl b/features/cerberusweb.core/templates/search/quick_search.tpl
@@ -6,6 +6,7 @@
 	<input type="hidden" name="c" value="search">
 	<input type="hidden" name="a" value="ajaxQuickSearch">
 	<input type="hidden" name="view_id" value="{$view->id}">
+	<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 	<div style="border:1px solid rgb(200,200,200);border-radius:10px;display:inline-block;">
 		<input type="text" name="query" class="input_search cerb-input-quicksearch" style="border:0;" size="50" value="{$quick_search_query}" autocomplete="off" spellcheck="false">

diff --git a/features/cerberusweb.core/templates/tasks/rpc/bulk.tpl b/features/cerberusweb.core/templates/tasks/rpc/bulk.tpl
@@ -3,6 +3,7 @@
 <input type="hidden" name="a" value="doTaskBulkUpdate">
 <input type="hidden" name="view_id" value="{$view_id}">
 <input type="hidden" name="ids" value="{$ids}">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <fieldset class="peek">
 	<legend>{'common.bulk_update.with'|devblocks_translate|capitalize}</legend>

diff --git a/features/cerberusweb.core/templates/tasks/rpc/peek.tpl b/features/cerberusweb.core/templates/tasks/rpc/peek.tpl
@@ -8,6 +8,7 @@
 <input type="hidden" name="link_context_id" value="{$link_context_id}">
 {/if}
 <input type="hidden" name="do_delete" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <fieldset class="peek">
 	<legend>{'common.properties'|devblocks_translate}</legend>

diff --git a/features/cerberusweb.core/templates/tasks/view.tpl b/features/cerberusweb.core/templates/tasks/view.tpl
@@ -31,6 +31,8 @@
 <input type="hidden" name="c" value="tasks">
 <input type="hidden" name="a" value="">
 <input type="hidden" name="explore_from" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
+
 <table cellpadding="1" cellspacing="0" border="0" width="100%" class="worklistBody">
 
 	{* Column Headers *}

diff --git a/features/cerberusweb.core/templates/tickets/ajax/merge_confirm.tpl b/features/cerberusweb.core/templates/tickets/ajax/merge_confirm.tpl
@@ -2,6 +2,7 @@
 <input type="hidden" name="c" value="tickets">
 <input type="hidden" name="a" value="viewMergeTickets">
 <input type="hidden" name="view_id" value="{$view_id}">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <fieldset>
 	<legend>Are you sure you want to merge these tickets?</legend>

diff --git a/features/cerberusweb.core/templates/tickets/peek.tpl b/features/cerberusweb.core/templates/tickets/peek.tpl
@@ -9,6 +9,7 @@
 <input type="hidden" name="link_context" value="{$link_context}">
 <input type="hidden" name="link_context_id" value="{$link_context_id}">
 {/if}
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 {if !$edit_mode && !empty($message)}
 <div id="ticketPeekMessage" style="margin-bottom:10px;">

diff --git a/features/cerberusweb.core/templates/tickets/rpc/bulk.tpl b/features/cerberusweb.core/templates/tickets/rpc/bulk.tpl
@@ -3,6 +3,7 @@
 <input type="hidden" name="a" value="doBulkUpdate">
 <input type="hidden" name="view_id" value="{$view_id}">
 <input type="hidden" name="ids" value="{$ids}">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <fieldset class="peek">
 	<legend>{'common.bulk_update.with'|devblocks_translate|capitalize}</legend>

diff --git a/features/cerberusweb.core/templates/tickets/rpc/ticket_view_assist.tpl b/features/cerberusweb.core/templates/tickets/rpc/ticket_view_assist.tpl
@@ -2,6 +2,7 @@
 <input type="hidden" name="c" value="tickets">
 <input type="hidden" name="a" value="viewAutoAssist">
 <input type="hidden" name="view_id" value="{$view_id}">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 Sort biggest piles by: 
 <label><input type="radio" name="mode" value="subjects" {if $mode!="subjects"}onclick="genericAjaxGet('{$view_id}_tips','c=tickets&a=showViewAutoAssist&view_id={$view_id}&mode=subjects');"{/if} {if $mode=="subjects"}checked{/if}>Subject Similarity</label>

diff --git a/features/cerberusweb.core/templates/tickets/rpc/ticket_view_assist_headers.tpl b/features/cerberusweb.core/templates/tickets/rpc/ticket_view_assist_headers.tpl
@@ -2,6 +2,7 @@
 <input type="hidden" name="c" value="tickets">
 <input type="hidden" name="a" value="viewAutoAssist">
 <input type="hidden" name="view_id" value="{$view_id}">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 Sort biggest piles by: 
 <label><input type="radio" name="mode" value="subjects" {if $mode!="subjects"}onclick="genericAjaxGet('{$view_id}_tips','c=tickets&a=showViewAutoAssist&view_id={$view_id}&mode=subjects');"{/if} {if $mode=="subjects"}checked{/if}>Subject Similarity</label>

diff --git a/features/cerberusweb.core/templates/tickets/view.tpl b/features/cerberusweb.core/templates/tickets/view.tpl
@@ -35,6 +35,8 @@
 <input type="hidden" name="a" value="">
 <input type="hidden" name="id" value="{$view->id}">
 <input type="hidden" name="explore_from" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
+
 <table cellpadding="1" cellspacing="0" border="0" width="100%" class="worklistBody">
 	{* Column Headers *}
 	<thead>

diff --git a/features/cerberusweb.core/templates/workers/view.tpl b/features/cerberusweb.core/templates/workers/view.tpl
@@ -32,6 +32,8 @@
 <input type="hidden" name="section" value="worker">
 <input type="hidden" name="action" value="">
 <input type="hidden" name="explore_from" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
+
 <table cellpadding="2" cellspacing="0" border="0" width="100%" class="worklistBody">
 
 	{* Column Headers *}

diff --git a/features/cerberusweb.crm/templates/crm/opps/bulk.tpl b/features/cerberusweb.crm/templates/crm/opps/bulk.tpl
@@ -3,6 +3,7 @@
 <input type="hidden" name="a" value="doOppBulkUpdate">
 <input type="hidden" name="view_id" value="{$view_id}">
 <input type="hidden" name="opp_ids" value="{$opp_ids}">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <fieldset class="peek">
 	<legend>{'common.bulk_update.with'|devblocks_translate|capitalize}</legend>

diff --git a/features/cerberusweb.crm/templates/crm/opps/peek.tpl b/features/cerberusweb.crm/templates/crm/opps/peek.tpl
@@ -8,6 +8,7 @@
 <input type="hidden" name="link_context_id" value="{$link_context_id}">
 {/if}
 <input type="hidden" name="do_delete" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <fieldset class="peek">
 	<legend>{'common.properties'|devblocks_translate}</legend>

diff --git a/features/cerberusweb.crm/templates/crm/opps/view.tpl b/features/cerberusweb.crm/templates/crm/opps/view.tpl
@@ -32,6 +32,8 @@
 <input type="hidden" name="c" value="crm">
 <input type="hidden" name="a" value="">
 <input type="hidden" name="explore_from" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
+
 <table cellpadding="1" cellspacing="0" border="0" width="100%" class="worklistBody">
 
 	{* Column Headers *}

diff --git a/features/cerberusweb.feedback/templates/feedback/ajax/peek.tpl b/features/cerberusweb.feedback/templates/feedback/ajax/peek.tpl
@@ -7,6 +7,7 @@
 <input type="hidden" name="link_context_id" value="{$link_context_id}">
 {/if}
 <input type="hidden" name="do_delete" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <fieldset class="peek">
 	<legend>Properties</legend>

diff --git a/features/cerberusweb.feedback/templates/feedback/bulk.tpl b/features/cerberusweb.feedback/templates/feedback/bulk.tpl
@@ -3,6 +3,7 @@
 <input type="hidden" name="a" value="doBulkUpdate">
 <input type="hidden" name="view_id" value="{$view_id}">
 <input type="hidden" name="ids" value="{$ids}">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <fieldset class="peek">
 	<legend>{'common.bulk_update.with'|devblocks_translate|capitalize}</legend>

diff --git a/features/cerberusweb.feedback/templates/feedback/view.tpl b/features/cerberusweb.feedback/templates/feedback/view.tpl
@@ -25,6 +25,7 @@
 <input type="hidden" name="view_id" value="{$view->id}">
 <input type="hidden" name="c" value="feedback">
 <input type="hidden" name="a" value="">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <table cellpadding="1" cellspacing="0" border="0" width="100%" class="worklistBody">
 

diff --git a/features/cerberusweb.kb/templates/kb/ajax/category_edit_panel.tpl b/features/cerberusweb.kb/templates/kb/ajax/category_edit_panel.tpl
@@ -3,6 +3,7 @@
 <input type="hidden" name="a" value="saveKbCategoryEditPanelJson">
 <input type="hidden" name="id" value="{$category->id}">
 <input type="hidden" name="delete_box" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <b>Name:</b><br>
 <input type="text" name="name" value="{$category->name}" style="width:99%;border:solid 1px rgb(180,180,180);"><br>

diff --git a/features/cerberusweb.kb/templates/kb/bulk.tpl b/features/cerberusweb.kb/templates/kb/bulk.tpl
@@ -3,6 +3,7 @@
 <input type="hidden" name="a" value="doArticlesBulkUpdate">
 <input type="hidden" name="view_id" value="{$view_id}">
 <input type="hidden" name="ids" value="{$ids}">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <fieldset class="peek">
 	<legend>{'common.bulk_update.with'|devblocks_translate|capitalize}</legend>

diff --git a/features/cerberusweb.kb/templates/kb/peek_edit.tpl b/features/cerberusweb.kb/templates/kb/peek_edit.tpl
@@ -4,6 +4,7 @@
 <input type="hidden" name="id" value="{$article->id}">
 <input type="hidden" name="view_id" value="{$view_id}">
 <input type="hidden" name="do_delete" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <div id="kbArticleTabs">
 	<ul>

diff --git a/features/cerberusweb.kb/templates/kb/peek_readonly.tpl b/features/cerberusweb.kb/templates/kb/peek_readonly.tpl
@@ -1,4 +1,5 @@
 <form action="{devblocks_url}{/devblocks_url}" method="POST">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <iframe src="{$smarty.const.DEVBLOCKS_WEBPATH}ajax.php?c=kb.ajax&a=getArticleContent&id={$article->id}" style="margin:5px 0px 5px 5px;height:400px;width:98%;border:1px solid rgb(200,200,200);" frameborder="0"></iframe>
 <br>

diff --git a/features/cerberusweb.kb/templates/kb/tabs/articles/index.tpl b/features/cerberusweb.kb/templates/kb/tabs/articles/index.tpl
@@ -3,6 +3,7 @@
 <form id="frmKbBrowseTab{$tab->id}" enctype="multipart/form-data" method="post" action="{devblocks_url}{/devblocks_url}">
 	<input type="hidden" name="c" value="kb.ajax">
 	<input type="hidden" name="a" value="">
+	<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 	{if $active_worker->hasPriv('core.kb.categories.modify')}
 		{$parent_id = 0}

diff --git a/features/cerberusweb.kb/templates/kb/view.tpl b/features/cerberusweb.kb/templates/kb/view.tpl
@@ -31,6 +31,8 @@
 <input type="hidden" name="a" value="">
 <input type="hidden" name="return" value="{$response_uri}">
 <input type="hidden" name="explore_from" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
+
 <table cellpadding="1" cellspacing="0" border="0" width="100%" class="worklistBody">
 
 	{* Column Headers *}

diff --git a/features/cerberusweb.reports/templates/reports/custom_fields/usage/index.tpl b/features/cerberusweb.reports/templates/reports/custom_fields/usage/index.tpl
@@ -2,6 +2,7 @@
 <legend>{'reports.ui.custom_fields.usage'|devblocks_translate}</legend>
 
 <form action="{devblocks_url}c=pages&page={$page->id}-{$page->name|devblocks_permalink}&report=report.custom_fields.usage{/devblocks_url}" method="POST" id="frmRange" name="frmRange">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <b>Custom Field:</b>
 

diff --git a/features/cerberusweb.reports/templates/reports/group/group_replies/index.tpl b/features/cerberusweb.reports/templates/reports/group/group_replies/index.tpl
@@ -3,6 +3,7 @@
 
 <form action="{devblocks_url}c=pages&page={$page->id}-{$page->name|devblocks_permalink}&report=report.groups.group_replies{/devblocks_url}" method="POST" id="frmRange" name="frmRange">
 <input type="hidden" name="c" value="reports">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 <b>{'reports.ui.date_from'|devblocks_translate}</b> <input type="text" name="start" id="start" size="24" value="{$start}"><button type="button" onclick="devblocksAjaxDateChooser('#start','#divCal');"><span class="glyphicons glyphicons-calendar"></span></button>
 <b>{'reports.ui.date_to'|devblocks_translate}</b> <input type="text" name="end" id="end" size="24" value="{$end}"><button type="button" onclick="devblocksAjaxDateChooser('#end','#divCal');"><span class="glyphicons glyphicons-calendar"></span></button>
 <b>Grouping:</b> <select name="report_date_grouping">

diff --git a/features/cerberusweb.reports/templates/reports/snippets/snippet_popularity/index.tpl b/features/cerberusweb.reports/templates/reports/snippets/snippet_popularity/index.tpl
@@ -3,6 +3,7 @@
 
 <form action="{devblocks_url}c=pages&page={$page->id}-{$page->name|devblocks_permalink}&report=report.snippets.popularity{/devblocks_url}" method="POST" id="frmRange">
 <input type="hidden" name="c" value="reports">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 <b>{'reports.ui.date_from'|devblocks_translate}</b> <input type="text" name="start" id="start" size="24" value="{$start}"><button type="button" onclick="devblocksAjaxDateChooser('#start','#divCal');"><span class="glyphicons glyphicons-calendar"></span></button>
 <b>{'reports.ui.date_to'|devblocks_translate}</b> <input type="text" name="end" id="end" size="24" value="{$end}"><button type="button" onclick="devblocksAjaxDateChooser('#end','#divCal');"><span class="glyphicons glyphicons-calendar"></span></button>
 

diff --git a/features/cerberusweb.reports/templates/reports/ticket/closed_tickets/index.tpl b/features/cerberusweb.reports/templates/reports/ticket/closed_tickets/index.tpl
@@ -3,6 +3,7 @@
 
 <form action="{devblocks_url}c=pages&page={$page->id}-{$page->name|devblocks_permalink}&report=report.tickets.closed_tickets{/devblocks_url}" method="POST" id="frmRange" name="frmRange">
 <input type="hidden" name="c" value="reports">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 <b>{'reports.ui.date_from'|devblocks_translate}</b> <input type="text" name="start" id="start" size="24" value="{$start}"><button type="button" onclick="devblocksAjaxDateChooser('#start','#divCal');"><span class="glyphicons glyphicons-calendar"></span></button>
 <b>{'reports.ui.date_to'|devblocks_translate}</b> <input type="text" name="end" id="end" size="24" value="{$end}"><button type="button" onclick="devblocksAjaxDateChooser('#end','#divCal');"><span class="glyphicons glyphicons-calendar"></span></button>
 <b>Grouping:</b> <select name="report_date_grouping">

diff --git a/features/cerberusweb.reports/templates/reports/ticket/new_tickets/index.tpl b/features/cerberusweb.reports/templates/reports/ticket/new_tickets/index.tpl
@@ -3,6 +3,7 @@
 
 <form action="{devblocks_url}c=pages&page={$page->id}-{$page->name|devblocks_permalink}&report=report.tickets.new_tickets{/devblocks_url}" method="POST" id="frmRange">
 <input type="hidden" name="c" value="reports">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 <b>{'reports.ui.date_from'|devblocks_translate}</b> <input type="text" name="start" id="start" size="24" value="{$start}"><button type="button" onclick="devblocksAjaxDateChooser('#start','#divCal');"><span class="glyphicons glyphicons-calendar"></span></button>
 <b>{'reports.ui.date_to'|devblocks_translate}</b> <input type="text" name="end" id="end" size="24" value="{$end}"><button type="button" onclick="devblocksAjaxDateChooser('#end','#divCal');"><span class="glyphicons glyphicons-calendar"></span></button>
 <b>Grouping:</b> <select name="report_date_grouping">

diff --git a/features/cerberusweb.reports/templates/reports/ticket/top_contacts_tickets/index.tpl b/features/cerberusweb.reports/templates/reports/ticket/top_contacts_tickets/index.tpl
@@ -2,6 +2,7 @@
 <legend>{'reports.ui.ticket.top_contacts'|devblocks_translate}</legend>
 
 <form action="{devblocks_url}c=pages&page={$page->id}-{$page->name|devblocks_permalink}&report=report.tickets.top_contacts{/devblocks_url}" method="POST" id="frmRange" name="frmRange">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 {'reports.ui.date_from'|devblocks_translate} <input type="text" name="start" id="start" size="24" value="{$start}"><button type="button" onclick="devblocksAjaxDateChooser('#start','#divCal');"><span class="glyphicons glyphicons-calendar"></span></button>
 {'reports.ui.date_to'|devblocks_translate} <input type="text" name="end" id="end" size="24" value="{$end}"><button type="button" onclick="devblocksAjaxDateChooser('#end','#divCal');"><span class="glyphicons glyphicons-calendar"></span></button>
 <div id="divCal"></div>

diff --git a/features/cerberusweb.reports/templates/reports/va/va_usage/index.tpl b/features/cerberusweb.reports/templates/reports/va/va_usage/index.tpl
@@ -3,6 +3,7 @@
 
 <form action="{devblocks_url}c=pages&page={$page->id}-{$page->name|devblocks_permalink}&report=report.virtual_attendants.usage{/devblocks_url}" method="POST" id="frmRange">
 <input type="hidden" name="c" value="reports">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 <b>{'reports.ui.date_from'|devblocks_translate}</b> <input type="text" name="start" id="start" size="24" value="{$start}"><button type="button" onclick="devblocksAjaxDateChooser('#start','#divCal');"><span class="glyphicons glyphicons-calendar"></span></button>
 <b>{'reports.ui.date_to'|devblocks_translate}</b> <input type="text" name="end" id="end" size="24" value="{$end}"><button type="button" onclick="devblocksAjaxDateChooser('#end','#divCal');"><span class="glyphicons glyphicons-calendar"></span></button>
 

diff --git a/features/cerberusweb.reports/templates/reports/worker/average_response_time/index.tpl b/features/cerberusweb.reports/templates/reports/worker/average_response_time/index.tpl
@@ -5,6 +5,7 @@
 {if $invalidDate}<font color="red"><b>{'reports.ui.invalid_date'|devblocks_translate}</b></font>{/if}
 
 <form action="{devblocks_url}c=pages&page={$page->id}-{$page->name|devblocks_permalink}&report=report.workers.averageresponsetime{/devblocks_url}" method="POST" id="frmRange" name="frmRange">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 <input type="text" name="start" id="start" size="24" value="{$start}"><button type="button" onclick="devblocksAjaxDateChooser('#start','#divCal');"><span class="glyphicons glyphicons-calendar"></span></button>
 <input type="text" name="end" id="end" size="24" value="{$end}"><button type="button" onclick="devblocksAjaxDateChooser('#end','#divCal');"><span class="glyphicons glyphicons-calendar"></span></button>
 

diff --git a/features/cerberusweb.reports/templates/reports/worker/worker_history/index.tpl b/features/cerberusweb.reports/templates/reports/worker/worker_history/index.tpl
@@ -2,6 +2,7 @@
 <legend>{'reports.ui.worker.worker_history'|devblocks_translate}</legend>
 
 <form action="{devblocks_url}c=pages&page={$page->id}-{$page->name|devblocks_permalink}&report=report.workers.worker_history{/devblocks_url}" method="POST" id="frmRange" name="frmRange">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 <b>{'reports.ui.date_from'|devblocks_translate}</b> <input type="text" name="start" id="start" size="24" value="{$start}"><button type="button" onclick="devblocksAjaxDateChooser('#start','#divCal');"><span class="glyphicons glyphicons-calendar"></span></button>
 <b>{'reports.ui.date_to'|devblocks_translate}</b> <input type="text" name="end" id="end" size="24" value="{$end}"><button type="button" onclick="devblocksAjaxDateChooser('#end','#divCal');"><span class="glyphicons glyphicons-calendar"></span></button>
 <b>Grouping:</b> <select name="report_date_grouping">

diff --git a/features/cerberusweb.restapi/templates/peek.tpl b/features/cerberusweb.restapi/templates/peek.tpl
@@ -5,6 +5,7 @@
 <input type="hidden" name="action" value="savePeekPopup">
 <input type="hidden" name="id" value="{$model->id|default:'0'}">
 <input type="hidden" name="do_delete" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <fieldset class="peek">
 	<legend>{'common.properties'|devblocks_translate}</legend>

diff --git a/features/cerberusweb.restapi/templates/view.tpl b/features/cerberusweb.restapi/templates/view.tpl
@@ -26,6 +26,8 @@
 <input type="hidden" name="c" value="rest">
 <input type="hidden" name="a" value="">
 <input type="hidden" name="explore_from" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
+
 <table cellpadding="5" cellspacing="0" border="0" width="100%" class="worklistBody">
 
 	{* Column Headers *}

diff --git a/features/cerberusweb.simulator/templates/setup/section.tpl b/features/cerberusweb.simulator/templates/setup/section.tpl
@@ -8,6 +8,7 @@
 	<input type="hidden" name="a" value="handleSectionAction">
 	<input type="hidden" name="section" value="simulator">
 	<input type="hidden" name="action" value="generateTicketsJson">
+	<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 	<table cellpadding="5" cellspacing="0" border="0">
 		<tr>
@@ -61,6 +62,7 @@
 	<input type="hidden" name="a" value="handleSectionAction">
 	<input type="hidden" name="section" value="simulator">
 	<input type="hidden" name="action" value="generateTasksJson">
+	<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 	<table cellpadding="5" cellspacing="0" border="0">
 		<tr>
@@ -116,6 +118,7 @@
 	<input type="hidden" name="a" value="handleSectionAction">
 	<input type="hidden" name="section" value="simulator">
 	<input type="hidden" name="action" value="generateOrgsJson">
+	<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 	<table cellpadding="5" cellspacing="0" border="0">
 		<tr>

diff --git a/features/cerberusweb.timetracking/templates/config/activities/edit_activity.tpl b/features/cerberusweb.timetracking/templates/config/activities/edit_activity.tpl
@@ -4,6 +4,7 @@
 <input type="hidden" name="action" value="save">
 <input type="hidden" name="id" value="{if !empty($activity->id)}{$activity->id}{else}0{/if}">
 <input type="hidden" name="do_delete" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <fieldset>
 	<legend>

diff --git a/features/cerberusweb.timetracking/templates/config/activities/index.tpl b/features/cerberusweb.timetracking/templates/config/activities/index.tpl
@@ -26,6 +26,7 @@
 
 		<td width="100%" valign="top">
 			<form action="{devblocks_url}{/devblocks_url}" method="post" id="configActivity">
+				<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 				{include file="devblocks:cerberusweb.timetracking::config/activities/edit_activity.tpl" activity=null}
 			</form>
 		</td>

diff --git a/features/cerberusweb.timetracking/templates/reports/time_spent_activity/index.tpl b/features/cerberusweb.timetracking/templates/reports/time_spent_activity/index.tpl
@@ -2,6 +2,7 @@
 <legend>{'timetracking.ui.reports.time_spent_activity'|devblocks_translate}</legend>
 
 <form action="{devblocks_url}c=pages&page={$page->id}-{$page->name|devblocks_permalink}&report=report.timetracking.timespentactivity{/devblocks_url}" method="POST" id="frmRange" name="frmRange">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 <b>{'timetracking.ui.reports.from'|devblocks_translate}</b> <input type="text" name="start" id="start" size="24" value="{$start}"><button type="button" onclick="devblocksAjaxDateChooser('#start','#divCal');"><span class="glyphicons glyphicons-calendar"></span></button>
 <b>{'timetracking.ui.reports.to'|devblocks_translate}</b> <input type="text" name="end" id="end" size="24" value="{$end}"><button type="button" onclick="devblocksAjaxDateChooser('#end','#divCal');"><span class="glyphicons glyphicons-calendar"></span></button>
 <b>Grouping:</b> <select name="report_date_grouping">

diff --git a/features/cerberusweb.timetracking/templates/reports/time_spent_org/index.tpl b/features/cerberusweb.timetracking/templates/reports/time_spent_org/index.tpl
@@ -2,6 +2,7 @@
 <legend>{'timetracking.ui.reports.time_spent_org'|devblocks_translate}</legend>
 
 <form action="{devblocks_url}c=pages&page={$page->id}-{$page->name|devblocks_permalink}&report=report.timetracking.timespentorg{/devblocks_url}" method="POST" id="frmRange" name="frmRange">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 <b>{'timetracking.ui.reports.from'|devblocks_translate}</b> <input type="text" name="start" id="start" size="24" value="{$start}"><button type="button" onclick="devblocksAjaxDateChooser('#start','#divCal');"><span class="glyphicons glyphicons-calendar"></span></button>
 <b>{'timetracking.ui.reports.to'|devblocks_translate}</b> <input type="text" name="end" id="end" size="24" value="{$end}"><button type="button" onclick="devblocksAjaxDateChooser('#end','#divCal');"><span class="glyphicons glyphicons-calendar"></span></button>
 <b>Grouping:</b> <select name="report_date_grouping">

diff --git a/features/cerberusweb.timetracking/templates/reports/time_spent_worker/index.tpl b/features/cerberusweb.timetracking/templates/reports/time_spent_worker/index.tpl
@@ -2,6 +2,7 @@
 <legend>{'timetracking.ui.reports.time_spent_worker'|devblocks_translate}</legend>
 
 <form action="{devblocks_url}c=pages&page={$page->id}-{$page->name|devblocks_permalink}&report=report.timetracking.timespentworker{/devblocks_url}" method="POST" id="frmRange" name="frmRange">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 <b>{'timetracking.ui.reports.from'|devblocks_translate}</b> <input type="text" name="start" id="start" size="24" value="{$start}"><button type="button" onclick="devblocksAjaxDateChooser('#start','#divCal');"><span class="glyphicons glyphicons-calendar"></span></button>
 <b>{'timetracking.ui.reports.to'|devblocks_translate}</b> <input type="text" name="end" id="end" size="24" value="{$end}"><button type="button" onclick="devblocksAjaxDateChooser('#end','#divCal');"><span class="glyphicons glyphicons-calendar"></span></button>
 <b>Grouping:</b> <select name="report_date_grouping">

diff --git a/features/cerberusweb.translators/templates/config/ajax/add_language_panel.tpl b/features/cerberusweb.translators/templates/config/ajax/add_language_panel.tpl
@@ -3,6 +3,7 @@
 <input type="hidden" name="a" value="handleSectionAction">
 <input type="hidden" name="section" value="translations">
 <input type="hidden" name="action" value="saveAddLanguagePanel">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 {if is_array($codes) && count($codes) > 1}
 <table cellspacing="0" cellpadding="2" border="0">

diff --git a/features/cerberusweb.translators/templates/config/ajax/find_strings_panel.tpl b/features/cerberusweb.translators/templates/config/ajax/find_strings_panel.tpl
@@ -3,6 +3,7 @@
 <input type="hidden" name="a" value="handleSectionAction">
 <input type="hidden" name="section" value="translations">
 <input type="hidden" name="action" value="saveFindStringsPanel">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 This will find text defined in U.S. English and not yet translated to other languages.  
 Leaving new text blank allows you to easily find translation work with a search.

diff --git a/features/cerberusweb.translators/templates/config/ajax/import_strings_panel.tpl b/features/cerberusweb.translators/templates/config/ajax/import_strings_panel.tpl
@@ -3,6 +3,7 @@
 <input type="hidden" name="a" value="handleSectionAction">
 <input type="hidden" name="section" value="translations">
 <input type="hidden" name="action" value="saveImportStringsPanel">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <b>Language File:</b> (.xml; TMX)<br>
 <input type="file" name="import_file" size="45"><br>

diff --git a/features/cerberusweb.translators/templates/config/section/view.tpl b/features/cerberusweb.translators/templates/config/section/view.tpl
@@ -23,6 +23,7 @@
 <input type="hidden" name="a" value="handleSectionAction">
 <input type="hidden" name="section" value="translations">
 <input type="hidden" name="action" value="">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <table cellpadding="1" cellspacing="0" border="0" width="100%" class="worklistBody">
 

diff --git a/install/extras/sdk/devblocks-dao.php b/install/extras/sdk/devblocks-dao.php
@@ -1275,6 +1275,7 @@ function importSaveObject(array $fields, array $custom_fields, array $meta) {
 <input type="hidden" name="view_id" value="{$view_id}">
 {if !empty($model) && !empty($model->id)}<input type="hidden" name="id" value="{$model->id}">{/if}
 <input type="hidden" name="do_delete" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <fieldset class="peek">
 	<legend>{'common.properties'|devblocks_translate}</legend>
@@ -1428,6 +1429,8 @@ function importSaveObject(array $fields, array $custom_fields, array $meta) {
 <input type="hidden" name="section" value="<?php echo $table_name; ?>">
 <input type="hidden" name="action" value="">
 <input type="hidden" name="explore_from" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
+
 <table cellpadding="1" cellspacing="0" border="0" width="100%" class="worklistBody">
 
 	{* Column Headers *}

diff --git a/install/extras/sdk/examples/example.object/templates/example_object/bulk.tpl b/install/extras/sdk/examples/example.object/templates/example_object/bulk.tpl
@@ -3,6 +3,7 @@
 <input type="hidden" name="a" value="saveBulkUpdatePopup">
 <input type="hidden" name="view_id" value="{$view_id}">
 <input type="hidden" name="ids" value="{$ids}">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <fieldset>
 	<legend>{'common.bulk_update.with'|devblocks_translate|capitalize}</legend>

diff --git a/install/extras/sdk/examples/example.object/templates/example_object/peek.tpl b/install/extras/sdk/examples/example.object/templates/example_object/peek.tpl
@@ -4,6 +4,7 @@
 <input type="hidden" name="id" value="{$model->id}">
 <input type="hidden" name="view_id" value="{$view_id}">
 <input type="hidden" name="do_delete" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 
 <fieldset class="peek">
 	<legend>{'common.properties'|devblocks_translate|capitalize}</legend>

diff --git a/install/extras/sdk/examples/example.object/templates/example_object/view.tpl b/install/extras/sdk/examples/example.object/templates/example_object/view.tpl
@@ -28,6 +28,8 @@
 <input type="hidden" name="c" value="example.objects">
 <input type="hidden" name="a" value="">
 <input type="hidden" name="explore_from" value="0">
+<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
+
 <table cellpadding="1" cellspacing="0" border="0" width="100%" class="worklistBody">
 
 	{* Column Headers *}

diff --git a/install/extras/sdk/examples/example.report/templates/reports/example.tpl b/install/extras/sdk/examples/example.report/templates/reports/example.tpl
@@ -2,6 +2,7 @@
 	<legend>{'example.report'|devblocks_translate|capitalize}</legend>
 
 	<form id="frmExampleReport" action="{devblocks_url}c=pages&page={$page->id}-{$page->name|devblocks_permalink}&report=example.report{/devblocks_url}" method="POST">
+		<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">
 		&nbsp; 
 		Tickets created between: 
 		<input type="text" name="date_from" size="24" value="{$date_from}">

diff --git a/libs/devblocks/api/Engine.php b/libs/devblocks/api/Engine.php
@@ -574,7 +574,11 @@ static function readRequest() {
 				break;
 		}
 
-		$request = new DevblocksHttpRequest($parts,$queryArgs);
+		$method = strtoupper(@$_SERVER['REQUEST_METHOD']);
+
+		$request = new DevblocksHttpRequest($parts,$queryArgs,$method);
+		$request->csrf_token = isset($_SERVER['HTTP_X_CSRF_TOKEN']) ? $_SERVER['HTTP_X_CSRF_TOKEN'] : @$_REQUEST['_csrf_token'];
+
 		DevblocksPlatform::setHttpRequest($request);
 
 		return $request;
@@ -588,6 +592,28 @@ static function readRequest() {
 	 */
 	static function processRequest(DevblocksHttpRequest $request, $is_ajax=false) {
 		$path = $request->path;
+
+		// Security: CSRF
+
+		// If we are running a controller action...
+		if(isset($_REQUEST['c']) || isset($_REQUEST['a'])) {
+
+			// ...and we're not in DEVELOPMENT_MODE
+			if(!DEVELOPMENT_MODE_ALLOW_CSRF) {
+
+				// ...and the CSRF token is invalid for this session, freak out
+				if(!isset($_SESSION['csrf_token']) || $_SESSION['csrf_token'] != $request->csrf_token) {
+					header("Status: 403");
+					@$referer = $_SERVER['HTTP_REFERER'];
+					@$remote_addr = $_SERVER['REMOTE_ADDR'];
+
+					error_log(sprintf("[Cerb/Security] Possible CSRF attack from IP %s using referrer %s", $remote_addr, $referer), E_USER_WARNING);
+					die("Access denied");
+				}
+			}
+		}
+
+		// Controllers
 
 		$controller_uri = array_shift($path);
 

diff --git a/libs/devblocks/api/Extension.php b/libs/devblocks/api/Extension.php
@@ -2034,11 +2034,15 @@ public function writeResponse(DevblocksHttpResponse $response);
 };
 
 class DevblocksHttpRequest extends DevblocksHttpIO {
+	public $method = null;
+	public $csrf_token = null;
+
 	/**
 	 * @param array $path
 	 */
-	function __construct($path, $query=array()) {
+	function __construct($path, $query=array(), $method=null) {
 		parent::__construct($path, $query);
+		$this->method = $method;
 	}
 };
 

diff --git a/libs/devblocks/api/services/template.php b/libs/devblocks/api/services/template.php
@@ -87,6 +87,11 @@ static function block_devblocks_url($params, $content, $smarty, &$repeat, $templ
 
 		$contents = $url->write($content, !empty($params['full']) ? true : false);
 
+		$is_ajax = substr($content, 0, 9) == 'ajax.php?';
+
+		if($is_ajax)
+			$contents .= '&_csrf_token=' . $_SESSION['csrf_token'];
+
 		if (!empty($params['assign'])) {
 			$smarty->assign($params['assign'], $contents);
 		} else {

diff --git a/libs/devblocks/framework.defaults.php b/libs/devblocks/framework.defaults.php
@@ -68,6 +68,9 @@
 if(!defined('DEVELOPMENT_MODE_QUERIES'))
 	define('DEVELOPMENT_MODE_QUERIES', false);
 
+if(!defined('DEVELOPMENT_MODE_ALLOW_CSRF'))
+	define('DEVELOPMENT_MODE_ALLOW_CSRF', false);
+
 // ----
 
 @ini_set('session.gc_maxlifetime','86400');

diff --git a/libs/devblocks/resources/js/devblocks.js b/libs/devblocks/resources/js/devblocks.js
@@ -240,9 +240,9 @@ function hideLoadingPanel() {
 }
 
 function genericAjaxPopupFind($sel) {
-	$devblocksPopups = $('#devblocksPopups');
-	$data = $devblocksPopups.data();
-	$element = $($sel).closest('DIV.devblocks-popup');
+	var $devblocksPopups = $('#devblocksPopups');
+	var $data = $devblocksPopups.data();
+	var $element = $($sel).closest('DIV.devblocks-popup');
 	for($key in $data) {
 		if($element.attr('id') == $data[$key].attr('id'))
 			return $data[$key];
@@ -256,7 +256,7 @@ function genericAjaxPopupFetch($layer) {
 }
 
 function genericAjaxPopupClose($layer, $event) {
-	$popup = genericAjaxPopupFetch($layer);
+	var $popup = genericAjaxPopupFetch($layer);
 	if(null != $popup) {
 		try {
 			if(null != $event)
@@ -273,7 +273,7 @@ function genericAjaxPopupClose($layer, $event) {
 }
 
 function genericAjaxPopupDestroy($layer) {
-	$popup = genericAjaxPopupFetch($layer);
+	var $popup = genericAjaxPopupFetch($layer);
 	if(null != $popup) {
 		genericAjaxPopupClose($layer);
 		try {
@@ -476,6 +476,11 @@ function genericAjaxGet(divRef,args,cb,options) {
 	options.cache = false;
 	options.success = cb;
 
+	if(null == options.headers)
+		options.headers = {};
+
+	options.headers['X-CSRF-Token'] = $('meta[name="_csrf_token"]').attr('content');
+
 	$.ajax(options);
 }
 
@@ -523,6 +528,11 @@ function genericAjaxPost(formRef,divRef,args,cb,options) {
 	options.cache = false;
 	options.success = cb;
 
+	if(null == options.headers)
+		options.headers = {};
+
+	options.headers['X-CSRF-Token'] = $('meta[name="_csrf_token"]').attr('content');
+
 	$.ajax(options);
 }