diff --git a/server/acl.go b/server/acl.go
index ccb67e81313c8..87e5bad7fd338 100644
--- a/server/acl.go
+++ b/server/acl.go
@@ -27,6 +27,7 @@ func setUserSession(ctx echo.Context, user *api.User) error {
 		Path:     "/",
 		MaxAge:   3600 * 24 * 30,
 		HttpOnly: true,
+		SameSite: http.SameSiteStrictMode,
 	}
 	sess.Values[userIDContextKey] = user.ID
 	err := sess.Save(ctx.Request(), ctx.Response())
diff --git a/server/server.go b/server/server.go
index 243f26adf05ed..5e57ea8a25c96 100644
--- a/server/server.go
+++ b/server/server.go
@@ -36,6 +36,10 @@ func NewServer(profile *profile.Profile) *Server {
 			`"status":${status},"error":"${error}"}` + "\n",
 	}))
 
+	e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
+		TokenLookup: "cookie:_csrf",
+	}))
+
 	e.Use(middleware.CORS())
 
 	e.Use(middleware.TimeoutWithConfig(middleware.TimeoutConfig{