diff --git a/system/controllers/admin.php b/system/controllers/admin.php
index c91f495d..0599f0c7 100644
--- a/system/controllers/admin.php
+++ b/system/controllers/admin.php
@@ -5,12 +5,12 @@
  *  by https://t.me/ibnux
  **/
 
- header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0");
- header("Expires: Tue, 01 Jan 2000 00:00:00 GMT");
- header("Pragma: no-cache");
+header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0");
+header("Expires: Tue, 01 Jan 2000 00:00:00 GMT");
+header("Pragma: no-cache");
 
-if(Admin::getID()){
-    r2(U.'dashboard', "s", Lang::T("You are already logged in"));
+if (Admin::getID()) {
+    r2(U . 'dashboard', "s", Lang::T("You are already logged in"));
 }
 
 if (isset($routes['1'])) {
@@ -23,6 +23,11 @@ switch ($do) {
     case 'post':
         $username = _post('username');
         $password = _post('password');
+        //csrf token
+        $csrf_token = _post('csrf_token');
+        if (!Csrf::check($csrf_token)) {
+            _alert(Lang::T('Invalid CSRF Token') . ".", 'danger', "admin");
+        }
         run_hook('admin_login'); #HOOK
         if ($username != '' and $password != '') {
             $d = ORM::for_table('tbl_users')->where('username', $username)->find_one();
@@ -36,26 +41,28 @@ switch ($do) {
                     _log($username . ' ' . Lang::T('Login Successful'), $d['user_type'], $d['id']);
                     if ($isApi) {
                         if ($token) {
-                            showResult(true, Lang::T('Login Successful'), ['token' => "a.".$token]);
+                            showResult(true, Lang::T('Login Successful'), ['token' => "a." . $token]);
                         } else {
                             showResult(false, Lang::T('Invalid Username or Password'));
                         }
                     }
-                    _alert(Lang::T('Login Successful'),'success', "dashboard");
+                    _alert(Lang::T('Login Successful'), 'success', "dashboard");
                 } else {
                     _log($username . ' ' . Lang::T('Failed Login'), $d['user_type']);
-                    _alert(Lang::T('Invalid Username or Password').".",'danger', "admin");
+                    _alert(Lang::T('Invalid Username or Password') . ".", 'danger', "admin");
                 }
             } else {
-                _alert(Lang::T('Invalid Username or Password')."..",'danger', "admin");
+                _alert(Lang::T('Invalid Username or Password') . "..", 'danger', "admin");
             }
         } else {
-            _alert(Lang::T('Invalid Username or Password')."...",'danger', "admin");
+            _alert(Lang::T('Invalid Username or Password') . "...", 'danger', "admin");
         }
 
         break;
     default:
         run_hook('view_login'); #HOOK
+        $csrf_token = Csrf::generateAndStoreToken();
+        $ui->assign('csrf_token', $csrf_token);
         $ui->display('admin-login.tpl');
         break;
 }
diff --git a/ui/ui/admin-login.tpl b/ui/ui/admin-login.tpl
index 3ba9e197..76e05f06 100644
--- a/ui/ui/admin-login.tpl
+++ b/ui/ui/admin-login.tpl
@@ -24,6 +24,7 @@
                 {$notify}
             {/if}
             <form action="{$_url}admin/post" method="post">
+                <input type="hidden" name="csrf_token" value="{$csrf_token}">
                 <div class="form-group has-feedback">
                     <input type="text" required class="form-control" name="username" placeholder="{Lang::T('Username')}">
                     <span class="glyphicon glyphicon-user form-control-feedback"></span>