diff --git a/forms/ComplexTableField.php b/forms/ComplexTableField.php
index 16792bac7..8c7aa8fb3 100755
--- a/forms/ComplexTableField.php
+++ b/forms/ComplexTableField.php
@@ -749,7 +749,11 @@ class ComplexTableField_ItemRequest extends TableListField_ItemRequest {
 		return $this->renderWith($this->ctf->templatePopup);
 	}
 
-	function delete() {
+	function delete($request) {
+		// Protect against CSRF on destructive action
+		$token = $this->ctf->getForm()->getSecurityToken();
+		if(!$token->checkRequest($request)) return $this->httpError(400);
+		
 		if($this->ctf->Can('delete') !== true) {
 			return false;
 		}
diff --git a/forms/TableListField.php b/forms/TableListField.php
index 18a866233..b9354cc74 100755
--- a/forms/TableListField.php
+++ b/forms/TableListField.php
@@ -559,7 +559,11 @@ JS
 	/**
 	 * @return String
 	 */
-	function delete() {
+	function delete($request) {
+		// Protect against CSRF on destructive action
+		$token = $this->getForm()->getSecurityToken();
+		if(!$token->checkRequest($request)) return $this->httpError('400');
+		
 		if($this->Can('delete') !== true) {
 			return false;
 		}
@@ -1438,6 +1442,7 @@ class TableListField_Item extends ViewableData {
 	function Link($action = null) {
 		$form = $this->parent->getForm();
  		if($form) {
+			$token = $form->getSecurityToken();
 			$parentUrlParts = parse_url($this->parent->Link());
 			$queryPart = (isset($parentUrlParts['query'])) ? '?' . $parentUrlParts['query'] : null;
 			// Ensure that URL actions not routed through Form->httpSubmission() are protected against CSRF attacks.
@@ -1567,7 +1572,11 @@ class TableListField_ItemRequest extends RequestHandler {
 		parent::__construct();
 	}
 
-	function delete() {
+	function delete($request) {
+		// Protect against CSRF on destructive action
+		$token = $this->ctf->getForm()->getSecurityToken();
+		if(!$token->checkRequest($request)) return $this->httpError('400');
+		
 		if($this->ctf->Can('delete') !== true) {
 			return false;
 		}