diff --git a/lhc_web/design/defaulttheme/tpl/lhfile/configuration.tpl.php b/lhc_web/design/defaulttheme/tpl/lhfile/configuration.tpl.php
index 868e51c749..2bc4ec8c22 100644
--- a/lhc_web/design/defaulttheme/tpl/lhfile/configuration.tpl.php
+++ b/lhc_web/design/defaulttheme/tpl/lhfile/configuration.tpl.php
@@ -10,6 +10,8 @@
 
 <form action="" ng-non-bindable method="post">
 
+    <?php include(erLhcoreClassDesign::designtpl('lhkernel/csfr_token.tpl.php'));?>
+
     <div class="row">
         <div class="col-6">
             <div class="form-group">
diff --git a/lhc_web/modules/lhfile/configuration.php b/lhc_web/modules/lhfile/configuration.php
index e8e3663fea..08244dcc59 100644
--- a/lhc_web/modules/lhfile/configuration.php
+++ b/lhc_web/modules/lhfile/configuration.php
@@ -7,6 +7,12 @@
 
 
 if (isset($_POST['StoreFileConfiguration'])) {
+
+    if (!isset($_POST['csfr_token']) || !$currentUser->validateCSFRToken($_POST['csfr_token'])) {
+        erLhcoreClassModule::redirect('file/configuration');
+        exit;
+    }
+
     $definition = array(
         'AllowedFileTypes' => new ezcInputFormDefinitionElement(
             ezcInputFormDefinitionElement::OPTIONAL, 'string'