diff --git a/ldap_frontend/__init__.py b/ldap_frontend/__init__.py
index d20b80b..f92cc63 100644
--- a/ldap_frontend/__init__.py
+++ b/ldap_frontend/__init__.py
@@ -2,6 +2,7 @@ from json import load
 from os import environ
 
 from flask import Flask, flash, redirect, request, session, url_for
+from flask_wtf.csrf import CSRFProtect, CSRFError
 from ldap3 import ALL_ATTRIBUTES, MODIFY_ADD, MODIFY_DELETE
 from ldap3.core.exceptions import LDAPException
 from ldap3.utils.dn import escape_rdn
@@ -18,11 +19,24 @@ from .helpers.ldap import (
 
 app = Flask(__name__)
 app.secret_key = environ.get("FLASK_SECRET_KEY", default="test")
+csrf = CSRFProtect(app)
 
 with open(environ["APP_CONFIG"]) as f:
     APP_CONFIG = load(f)
 
 
+
+@app.errorhandler(CSRFError)
+def handle_csrf_error(e):
+    flash("CRSF validation error. For your own safety, you have been logged out.")
+
+    session["is_logged_in"] = False
+    session["username"] = ""
+    session["password"] = ""
+
+    return redirect(url_for("login"))
+
+
 @app.route("/")
 def slash():
     if session.get('is_logged_in'):
@@ -131,7 +145,6 @@ def selfservice(ldap):
 
         return redirect(url_for("selfservice"))
 
-    print(session)
     return template(ldap, "selfservice.html")
 
 
diff --git a/ldap_frontend/templates/groups/members.html b/ldap_frontend/templates/groups/members.html
index f74b651..44b92b5 100644
--- a/ldap_frontend/templates/groups/members.html
+++ b/ldap_frontend/templates/groups/members.html
@@ -16,6 +16,7 @@
                         <td>{{ member["cn"] }}</td>
                         <td>
                             <form action="{{ url_for("group_edit", ou=ou) }}" method="post">
+                                <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
                                 <input type="hidden" name="remove" value="{{ member["uid"] }}">
                                 <input type="submit" value="remove" class="btn btn-danger">
                             </form>
@@ -25,6 +26,7 @@
                 </tbody>
             </table>
             <form action="{{ url_for("group_edit", ou=ou) }}" method="post" class="row g-3 needs-validation">
+                <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
                 <fieldset>
                     <legend>add user to group</legend>
 
diff --git a/ldap_frontend/templates/login.html b/ldap_frontend/templates/login.html
index 8c4e746..e8eadaa 100644
--- a/ldap_frontend/templates/login.html
+++ b/ldap_frontend/templates/login.html
@@ -1,6 +1,7 @@
 {% extends "layout/default.html" %}
 {% block content %}
             <form action="{{ url_for("login") }}" method="post">
+                <input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
                 <fieldset>
                     <legend>Login</legend>
 
diff --git a/ldap_frontend/templates/selfservice.html b/ldap_frontend/templates/selfservice.html
index fd6126a..9126d3e 100644
--- a/ldap_frontend/templates/selfservice.html
+++ b/ldap_frontend/templates/selfservice.html
@@ -2,6 +2,7 @@
 {% block title %}self service{% endblock %}
 {% block content %}
             <form action="{{ url_for("selfservice") }}" method="post" class="row g-3 needs-validation">
+                <input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
                 <fieldset>
                     <legend>user data</legend>
 
@@ -47,6 +48,7 @@
             </form>
 
             <form action="{{ url_for("selfservice") }}" method="post">
+                <input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
                 <fieldset>
                     <legend>password</legend>
 
diff --git a/requirements.txt b/requirements.txt
index 38520b1..ef0be59 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,5 +1,6 @@
 click==8.0.3
 Flask==2.0.2
+Flask-WTF==1.0.0
 gunicorn==20.1.0
 itsdangerous==2.0.1
 Jinja2==3.0.3
@@ -7,3 +8,4 @@ ldap3==2.9.1
 MarkupSafe==2.0.1
 pyasn1==0.4.8
 Werkzeug==2.0.2
+WTForms==3.0.0