diff --git a/lam/lib/modules.inc b/lam/lib/modules.inc
index 6adfd25b..9f46a508 100644
--- a/lam/lib/modules.inc
+++ b/lam/lib/modules.inc
@@ -1298,6 +1298,9 @@ class accountContainer {
 	 * Prints the header of the account pages.
 	 */
 	private function printPageHeader() {
+		if (!empty($_POST)) {
+			validateSecurityToken();
+		}
 		include '../main_header.php';
 		echo '<script type="text/javascript">
 				jQuery(document).ready(function() {
@@ -1306,6 +1309,7 @@ class accountContainer {
 			</script>';
 		echo "<form id=\"inputForm\" enctype=\"multipart/form-data\" action=\"edit.php\" method=\"post\" onSubmit=\"saveScrollPosition('inputForm')\" autocomplete=\"off\">\n";
 		echo '<input type="hidden" name="account_randomID" value="' . $this->randomID . '">';		
+		echo '<input type="hidden" name="' . getSecurityTokenName() . '" value="' . getSecurityTokenValue() . '">';		
 	}
 	
 	/**
diff --git a/lam/templates/delete.php b/lam/templates/delete.php
index f7242886..97094baa 100644
--- a/lam/templates/delete.php
+++ b/lam/templates/delete.php
@@ -4,7 +4,7 @@
 
 	This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
 	Copyright (C) 2003 - 2006  Tilo Lutz
-	Copyright (C) 2007 - 2014  Roland Gruber
+	Copyright (C) 2007 - 2015  Roland Gruber
 
 	This program is free software; you can redistribute it and/or modify
 	it under the terms of the GNU General Public License as published by
@@ -62,6 +62,10 @@ if (!isLoggedIn()) {
 // Set correct language, codepages, ....
 setlanguage();
 
+if (!empty($_POST)) {
+	validateSecurityToken();
+}
+
 if (isset($_POST['type']) && !preg_match('/^[a-z0-9_]+$/i', $_POST['type'])) {
 	logNewMessage(LOG_ERR, 'Invalid type: ' . $_POST['type']);
 	die();
@@ -90,6 +94,7 @@ if (isset($_GET['type']) && isset($_SESSION['delete_dn'])) {
 	echo "<div class=\"".$_GET['type']."-bright smallPaddingContent\">";
 	echo "<br>\n";
 	echo "<form action=\"delete.php\" method=\"post\">\n";
+	echo '<input type="hidden" name="' . getSecurityTokenName() . '" value="' . getSecurityTokenValue() . '">';
 	echo "<input name=\"type\" type=\"hidden\" value=\"" . $_GET['type'] . "\">\n";
 	echo "<b>" . _("Do you really want to remove the following accounts?") . "</b>";
 	echo "<br><br>\n";
@@ -149,6 +154,7 @@ if (isset($_POST['delete'])) {
 	// Show HTML Page
 	include 'main_header.php';
 	echo "<form action=\"delete.php\" method=\"post\">\n";
+	echo '<input type="hidden" name="' . getSecurityTokenName() . '" value="' . getSecurityTokenValue() . '">';
 	echo "<input name=\"type\" type=\"hidden\" value=\"" . $_POST['type'] . "\">\n";
 	echo "<div class=\"".$_POST['type']."-bright smallPaddingContent\"><br>\n";
 	echo "<br>\n";
diff --git a/lam/templates/initsuff.php b/lam/templates/initsuff.php
index 878b7273..6d3325cb 100644
--- a/lam/templates/initsuff.php
+++ b/lam/templates/initsuff.php
@@ -3,7 +3,7 @@
 $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2013  Roland Gruber
+  Copyright (C) 2003 - 2015  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -46,6 +46,10 @@ if (!checkIfWriteAccessIsAllowed()) {
 
 setlanguage();
 
+if (!empty($_POST)) {
+	validateSecurityToken();
+}
+
 // check if user already pressed button
 if (isset($_POST['add_suff']) || isset($_POST['cancel'])) {
 	if (isset($_POST['add_suff'])) {
@@ -191,6 +195,7 @@ include 'main_header.php';
 	$buttonContainer->addElement(new htmlButton('cancel', _("Cancel")));
 	$buttonContainer->addElement(new htmlHiddenInput('new_suff', implode(";", $new_suff)));
 	$container->addElement($buttonContainer);
+	addSecurityTokenToMetaHTML($container);
 	
 	$tabindex = 1;
 	parseHtml(null, $container, array(), false, $tabindex, 'user');
diff --git a/lam/templates/massBuildAccounts.php b/lam/templates/massBuildAccounts.php
index 7e05d489..27e46d4d 100644
--- a/lam/templates/massBuildAccounts.php
+++ b/lam/templates/massBuildAccounts.php
@@ -3,7 +3,7 @@
 $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2004 - 2014  Roland Gruber
+  Copyright (C) 2004 - 2015  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -56,6 +56,10 @@ if (!isLoggedIn()) {
 // Set correct language, codepages, ....
 setlanguage();
 
+if (!empty($_POST)) {
+	validateSecurityToken();
+}
+
 // show LDIF if requested
 if (isset($_GET['showldif'])) {
 	//download file
@@ -258,6 +262,7 @@ else {
 	massPrintBackButton($scope, $selectedModules, $container);
 }
 
+addSecurityTokenToMetaHTML($container);
 $tabindex = 1;
 parseHtml(null, $container, array(), false, $tabindex, $scope);
 
diff --git a/lam/templates/masscreate.php b/lam/templates/masscreate.php
index b55fbe3f..c87c20f5 100644
--- a/lam/templates/masscreate.php
+++ b/lam/templates/masscreate.php
@@ -3,7 +3,7 @@
 $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2004 - 2013  Roland Gruber
+  Copyright (C) 2004 - 2015  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -60,6 +60,10 @@ if (!isLoggedIn()) {
 // Set correct language, codepages, ....
 setlanguage();
 
+if (!empty($_POST)) {
+	validateSecurityToken();
+}
+
 // show CSV if requested
 if (isset($_GET['getCSV'])) {
 	//download file
@@ -211,6 +215,7 @@ if (!empty($types)) {
 	$table->addElement(new htmlButton('submit', _('Ok')), true);
 }
 
+addSecurityTokenToMetaHTML($table);
 parseHtml(null, $table, array(), false, $tabindex, 'user');
 ?>
 <script type="text/javascript">
@@ -434,6 +439,7 @@ function showMainPage($scope, $selectedModules) {
 	}
 	$container->addElement($columnContainer, true);
 	
+	addSecurityTokenToMetaHTML($container);
 	$tabindex = 1;
 	parseHtml(null, $container, array(), false, $tabindex, $scope);
 	
diff --git a/lam/templates/multiEdit.php b/lam/templates/multiEdit.php
index b3651f45..959404f5 100644
--- a/lam/templates/multiEdit.php
+++ b/lam/templates/multiEdit.php
@@ -3,7 +3,7 @@
 $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2013  Roland Gruber
+  Copyright (C) 2013 - 2015  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -47,6 +47,10 @@ checkIfToolIsActive('toolMultiEdit');
 
 setlanguage();
 
+if (!empty($_POST)) {
+	validateSecurityToken();
+}
+
 define('ADD', 'add');
 define('MOD', 'mod');
 define('DEL', 'del');
@@ -71,7 +75,7 @@ function displayStartPage() {
 	// display main page
 	include 'main_header.php';
 	echo '<div class="user-bright smallPaddingContent">';
-	echo ("<form action=\"multiEdit.php\" method=\"post\">\n");
+	echo "<form action=\"multiEdit.php\" method=\"post\">\n";
 	$errors = array();
 	$tabindex = 1;
 	$container = new htmlTable();
@@ -174,6 +178,7 @@ function displayStartPage() {
 		runActions($container);
 	}
 	
+	addSecurityTokenToMetaHTML($container);
 	
 	parseHtml(null, $container, array(), false, $tabindex, 'user');
 	echo ("</form>\n");
diff --git a/lam/templates/ou_edit.php b/lam/templates/ou_edit.php
index a973c1d5..8260764b 100644
--- a/lam/templates/ou_edit.php
+++ b/lam/templates/ou_edit.php
@@ -3,7 +3,7 @@
 $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2012  Roland Gruber
+  Copyright (C) 2003 - 2015  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -47,6 +47,10 @@ checkIfToolIsActive('toolOUEditor');
 
 setlanguage();
 
+if (!empty($_POST)) {
+	validateSecurityToken();
+}
+
 $types = $_SESSION['config']->get_ActiveTypes();
 
 // check if deletion was canceled
@@ -120,7 +124,8 @@ if (isset($_POST['createOU']) || isset($_POST['deleteOU'])) {
 			$container->addElement(new htmlButton('sure', _("Delete")));			
 			$container->addElement(new htmlButton('abort', _("Cancel")));
 			$container->addElement(new htmlHiddenInput('deleteOU', 'submit'));		
-			$container->addElement(new htmlHiddenInput('deletename', $_POST['deleteableOU']));		
+			$container->addElement(new htmlHiddenInput('deletename', $_POST['deleteableOU']));
+			addSecurityTokenToMetaHTML($container);		
 			parseHtml(null, $container, array(), false, $tabindex, 'user');
 			echo "</form>";
 			echo '</div>';
@@ -145,7 +150,7 @@ function display_main($message, $error) {
 	// display main page
 	include 'main_header.php';
 	echo '<div class="user-bright smallPaddingContent">';
-	echo ("<form action=\"ou_edit.php\" method=\"post\">\n");
+	echo "<form action=\"ou_edit.php\" method=\"post\">\n";
 
 	$tabindex = 1;
 	$container = new htmlTable();
@@ -208,6 +213,7 @@ function display_main($message, $error) {
 		$container->addElement(new htmlHelpLink('602'), true);
 	}
 	
+	addSecurityTokenToMetaHTML($container);
 	parseHtml(null, $container, array(), false, $tabindex, 'user');
 	echo ("</form>\n");
 	echo '</div>';
diff --git a/lam/templates/pdfedit/pdfmain.php b/lam/templates/pdfedit/pdfmain.php
index ee9084f7..3b64b9fc 100644
--- a/lam/templates/pdfedit/pdfmain.php
+++ b/lam/templates/pdfedit/pdfmain.php
@@ -4,7 +4,7 @@ $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
   Copyright (C) 2003 - 2006  Michael Duergner
-                2005 - 2014  Roland Gruber
+                2005 - 2015  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -49,6 +49,10 @@ if (!checkIfWriteAccessIsAllowed()) die();
 
 checkIfToolIsActive('toolPDFEditor');
 
+if (!empty($_POST)) {
+	validateSecurityToken();
+}
+
 setlanguage();
 
 // Unset pdf structure definitions in session if set
@@ -163,6 +167,7 @@ include '../main_header.php';
 ?>
 <div class="user-bright smallPaddingContent">
 <form enctype="multipart/form-data" action="pdfmain.php" method="post" name="pdfmainForm" >
+<input type="hidden" name="<?php echo getSecurityTokenName(); ?>" value="<?php echo getSecurityTokenValue(); ?>">
 	<?php
 		if (isset($_GET['savedSuccessfully'])) {
 			$message = new htmlStatusMessage("INFO", _("PDF structure was successfully saved."), htmlspecialchars($_GET['savedSuccessfully']));
@@ -294,6 +299,7 @@ include '../main_header.php';
 			$container->addElement(new htmlHelpLink('236'));
 			$container->addElement(new htmlHiddenInput('importexport', '1'));
 			$container->addElement(new htmlHiddenInput('scope', $scope), true);
+			addSecurityTokenToMetaHTML($container);
 			
 			parseHtml(null, $container, array(), false, $tabindex, 'user');
 
@@ -340,6 +346,7 @@ include '../main_header.php';
 		$container->addElement($exportPasswd);
 		$container->addElement(new htmlHelpLink('236'));
 		$container->addElement(new htmlHiddenInput('importexport', '1'), true);
+		addSecurityTokenToMetaHTML($container);
 		
 		parseHtml(null, $container, array(), false, $tabindex, 'user');
 
@@ -354,6 +361,7 @@ echo '<div id="deleteProfileDialog" class="hidden"><form id="deleteProfileForm"
 	echo '<input id="profileDeleteType" type="hidden" name="profileDeleteType" value="">';
 	echo '<input id="profileDeleteName" type="hidden" name="profileDeleteName" value="">';
 	echo '<input type="hidden" name="deleteProfile" value="true">';
+	echo '<input type="hidden" name="' . getSecurityTokenName() . '" value="' . getSecurityTokenValue() . '">';
 echo '</form></div>';
 
 include '../main_footer.php';
diff --git a/lam/templates/pdfedit/pdfpage.php b/lam/templates/pdfedit/pdfpage.php
index 4f6f0a92..09670075 100644
--- a/lam/templates/pdfedit/pdfpage.php
+++ b/lam/templates/pdfedit/pdfpage.php
@@ -4,7 +4,7 @@ $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
   Copyright (C) 2003 - 2006  Michael Duergner
-                2007 - 2014  Roland Gruber
+                2007 - 2015  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -55,6 +55,10 @@ checkIfToolIsActive('toolPDFEditor');
 
 setlanguage();
 
+if (!empty($_POST)) {
+	validateSecurityToken();
+}
+
 // check if user is logged in, if not go to login
 if (!$_SESSION['ldap'] || !$_SESSION['ldap']->server()) {
 	metaRefresh("../login.php");
@@ -643,6 +647,7 @@ $buttonContainer->addElement(new htmlHiddenInput('modules', $modules));
 $buttonContainer->addElement(new htmlHiddenInput('type', $_GET['type']));
 
 $container->addElement($buttonContainer, true);
+addSecurityTokenToMetaHTML($container);
 
 $tabindex = 1;
 parseHtml(null, $container, array(), false, $tabindex, $_GET['type']);
diff --git a/lam/templates/profedit/profilemain.php b/lam/templates/profedit/profilemain.php
index a1f06fe9..1a1668e9 100644
--- a/lam/templates/profedit/profilemain.php
+++ b/lam/templates/profedit/profilemain.php
@@ -3,7 +3,7 @@
 $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2014  Roland Gruber
+  Copyright (C) 2003 - 2015  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -47,6 +47,10 @@ checkIfToolIsActive('toolProfileEditor');
 
 setlanguage();
 
+if (!empty($_POST)) {
+	validateSecurityToken();
+}
+
 $types = $_SESSION['config']->get_ActiveTypes();
 $profileClasses = array();
 $profileClassesTemp = array();
@@ -89,6 +93,7 @@ for ($i = 0; $i < sizeof($profileClasses); $i++) {
 include '../main_header.php';
 echo "<div class=\"user-bright smallPaddingContent\">\n";
 echo "<form name=\"profilemainForm\" action=\"profilemain.php\" method=\"post\">\n";
+echo '<input type="hidden" name="' . getSecurityTokenName() . '" value="' . getSecurityTokenValue() . '">';
 
 $container = new htmlTable();
 $container->addElement(new htmlTitle(_("Profile editor")), true);
@@ -261,6 +266,7 @@ for ($i = 0; $i < sizeof($profileClasses); $i++) {
 	$container->addElement(new htmlHelpLink('236'));
 	$container->addElement(new htmlHiddenInput('importexport', '1'));
 	$container->addElement(new htmlHiddenInput('scope', $scope), true);
+	addSecurityTokenToMetaHTML($container);
 	
 	parseHtml(null, $container, array(), false, $tabindex, 'user');
 
@@ -308,6 +314,7 @@ $exportPasswd->setIsPassword(true);
 $container->addElement($exportPasswd);
 $container->addElement(new htmlHelpLink('236'));
 $container->addElement(new htmlHiddenInput('importexport', '1'), true);
+addSecurityTokenToMetaHTML($container);
 
 parseHtml(null, $container, array(), false, $tabindex, 'user');
 
@@ -322,6 +329,7 @@ echo '<div id="deleteProfileDialog" class="hidden"><form id="deleteProfileForm"
 	echo '<input id="profileDeleteType" type="hidden" name="profileDeleteType" value="">';
 	echo '<input id="profileDeleteName" type="hidden" name="profileDeleteName" value="">';
 	echo '<input type="hidden" name="deleteProfile" value="true">';
+	echo '<input type="hidden" name="' . getSecurityTokenName() . '" value="' . getSecurityTokenValue() . '">';
 echo '</form></div>';
 
 include '../main_footer.php';
diff --git a/lam/templates/profedit/profilepage.php b/lam/templates/profedit/profilepage.php
index e039a010..9c2e120b 100644
--- a/lam/templates/profedit/profilepage.php
+++ b/lam/templates/profedit/profilepage.php
@@ -3,7 +3,7 @@
 $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2014  Roland Gruber
+  Copyright (C) 2003 - 2015  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -51,6 +51,10 @@ checkIfToolIsActive('toolProfileEditor');
 
 setlanguage();
 
+if (!empty($_POST)) {
+	validateSecurityToken();
+}
+
 // check if user is logged in, if not go to login
 if (!$_SESSION['ldap'] || !$_SESSION['ldap']->server()) {
 	metaRefresh("../login.php");
@@ -169,7 +173,8 @@ elseif (isset($_GET['edit'])) {
 }
 
 // display formular
-echo ("<form action=\"profilepage.php?type=$type\" method=\"post\">\n");
+echo "<form action=\"profilepage.php?type=$type\" method=\"post\">\n";
+echo '<input type="hidden" name="' . getSecurityTokenName() . '" value="' . getSecurityTokenValue() . '">';
 
 $profName = '';
 if (isset($_GET['edit'])) {