diff --git a/client/js/auth/auth.js b/client/js/auth/auth.js
index 546eb25..aa39261 100644
--- a/client/js/auth/auth.js
+++ b/client/js/auth/auth.js
@@ -4,6 +4,12 @@ $.getScript('/js/version.js', function() {
   VERSION = window.VERSION;
 });
 
+let csrfToken = '';
+
+$.get('/api/auth/csrf-token', function(data) {
+  csrfToken = data.csrfToken;
+});
+
 // Main application object
 const App = {
   // Configuration
@@ -460,6 +466,7 @@ const App = {
           url: "/api/login",
           method: "POST",
           data: { username, password }, //captchaResponse: turnstileResponse },
+          headers: { 'CSRF-Token': csrfToken }, //  CSRF token
           success: (response) => {
             localStorage.setItem("token", response.token);
             localStorage.setItem("username", response.username);
diff --git a/server/functions/api/routes/auth.js b/server/functions/api/routes/auth.js
index 09dc3a8..718657e 100644
--- a/server/functions/api/routes/auth.js
+++ b/server/functions/api/routes/auth.js
@@ -3,7 +3,9 @@ const bcrypt = require("bcrypt");
 const { body, validationResult } = require("express-validator");
 const User = require("../models/User");
 const moment = require("moment-timezone");
-//const csrf = require("csurf");
+const csrf = require("csurf");
+const csrfProtection = csrf({ cookie: true });
+
 const requestIp = require('request-ip');
 const crypto = require('crypto');
 const jwt = require('jsonwebtoken');
@@ -141,7 +143,7 @@ const validateUser = [
 
 
 // REgister account
-router.post("/register-create", authLimiter, validateUser, async (req, res) => {
+router.post("/register-create", csrfProtection, authLimiter, validateUser, async (req, res) => {
   try {
     const { username, email, password } = req.body;
     console.log("Registration attempt for:", email);
@@ -242,7 +244,7 @@ router.get("/validate-session", async (req, res) => {
 
 
 // Check if user is banned
-router.get("/check-ban", authenticateToken, async (req, res) => {
+router.get("/check-ban", csrfProtection, authenticateToken, async (req, res) => {
   try {
     const user = await User.findById(req.user.userId);
     if (!user) {
@@ -259,7 +261,7 @@ const MAX_LOGIN_ATTEMPTS = 5;
 const LOCK_TIME = 2 * 60 * 1000; // 2 minutes
 
 // Login endpoint
-router.post("/login", authLimiter, async (req, res) => {
+router.post("/login", csrfProtection, authLimiter, async (req, res) => {
   try {
     const { username, password } = req.body;
 //    console.log("Login attempt for:", username);
@@ -360,7 +362,7 @@ router.post("/login", authLimiter, async (req, res) => {
 });
 
 // Logout endpoint
-router.post("/logout", async (req, res) => {
+router.post("/logout", csrfProtection, async (req, res) => {
   if (req.user) {
     await User.findByIdAndUpdate(req.user._id, { isOnline: false });
   }
@@ -372,6 +374,10 @@ router.post("/logout", async (req, res) => {
   });
 });
 
+router.get("/csrf-token", csrfProtection, (req, res) => {
+  res.json({ csrfToken: req.csrfToken() });
+});
+
 /* 
 
 router.post("/claim-daily-currency", authenticateToken, async (req, res) => {