diff --git a/app.py b/app.py
index 122ab2a..22419b7 100644
--- a/app.py
+++ b/app.py
@@ -14,6 +14,7 @@ from functools import wraps
 from flask import Flask, g, jsonify, render_template, request, abort, redirect, session, flash
 from flask_caching import Cache
 from flask_session import Session
+from flask_wtf.csrf import CSRFProtect, generate_csrf
 from ffmpy import FFmpeg
 from pymongo import MongoClient
 
@@ -26,6 +27,7 @@ app.config['SESSION_COOKIE_HTTPONLY'] = False
 app.cache = Cache(app, config=config.REDIS)
 sess = Session()
 sess.init_app(app)
+csrf = CSRFProtect(app)
 
 db = client[config.MONGO['database']]
 db.users.create_index('username', unique=True)
@@ -106,6 +108,7 @@ def get_config():
         config_out['assets_baseurl'] = ''.join([request.host_url, 'assets']) + '/'
 
     config_out['_version'] = get_version()
+    config_out['_csrf_token'] = generate_csrf()
     return config_out
 
 
@@ -126,7 +129,6 @@ def get_version():
 
 
 @app.route('/')
-@app.cache.cached(timeout=15)
 def route_index():
     version = get_version()
     return render_template('index.html', version=version, config=get_config())
diff --git a/public/src/js/account.js b/public/src/js/account.js
index 22757a7..d33ab05 100644
--- a/public/src/js/account.js
+++ b/public/src/js/account.js
@@ -423,6 +423,7 @@ class Account{
 			})
 			if(obj){
 				request.setRequestHeader("Content-Type", "application/json;charset=UTF-8")
+				request.setRequestHeader("X-CSRFToken", gameConfig._csrf_token)
 				request.send(JSON.stringify(obj))
 			}else{
 				request.send()
diff --git a/templates/admin_song_detail.html b/templates/admin_song_detail.html
index 9c860ae..ff221c8 100644
--- a/templates/admin_song_detail.html
+++ b/templates/admin_song_detail.html
@@ -6,6 +6,7 @@
 {% endfor %}
 <div class="song-form">
     <form method="post">
+        <input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
 
         <div class="form-field">
             <span class="checkbox"><input type="checkbox" name="enabled" id="enabled"{% if song.enabled %} checked{% endif %}{% if admin.user_level < 100 %} disabled {% endif %}><label for="enabled"> Enabled</label></span>
@@ -124,6 +125,7 @@
     </form>
     {% if admin.user_level >= 100 %}
     <form class="delete-song" method="post" action="/admin/songs/{{song.id}}/delete" onsubmit="return confirm('Are you sure you wish to delete this song?');">
+        <input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
         <button type="submit">Delete song</button>
     </form>
     {% endif %}
diff --git a/templates/admin_song_new.html b/templates/admin_song_new.html
index 9fc1361..35557b0 100644
--- a/templates/admin_song_new.html
+++ b/templates/admin_song_new.html
@@ -6,9 +6,10 @@
 {% endfor %}
 <div class="song-form">
     <form method="post">
+        <input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
 
         <div class="form-field">
-            <span class="checkbox"><input type="checkbox" name="enabled" id="enabled" checked><label for="enabled"> Enabled</label></span>
+            <span class="checkbox"><input type="checkbox" name="enabled" id="enabled"><label for="enabled"> Enabled</label></span>
         </div>
 
         <div class="form-field">