diff --git a/system/autoload/Message.php b/system/autoload/Message.php
index cff8db31..a1a50a58 100644
--- a/system/autoload/Message.php
+++ b/system/autoload/Message.php
@@ -193,11 +193,11 @@ class Message
             && !empty($message) && in_array($via, ['sms', 'wa'])
         ) {
             if ($via == 'sms') {
-                echo Message::sendSMS($customer['phonenumber'], $msg);
+                Message::sendSMS($customer['phonenumber'], $msg);
             } else if ($via == 'email') {
                 self::sendEmail($customer['email'], '[' . $config['CompanyName'] . '] ' . Lang::T("Internet Plan Reminder"), $msg);
             } else if ($via == 'wa') {
-                echo Message::sendWhatsapp($customer['phonenumber'], $msg);
+                Message::sendWhatsapp($customer['phonenumber'], $msg);
             }
         }
         return "$via: $msg";
diff --git a/system/controllers/customers.php b/system/controllers/customers.php
index 57c20474..c623c691 100644
--- a/system/controllers/customers.php
+++ b/system/controllers/customers.php
@@ -25,6 +25,10 @@ switch ($action) {
         if (!in_array($admin['user_type'], ['SuperAdmin', 'Admin'])) {
             _alert(Lang::T('You do not have permission to access this page'), 'danger', "dashboard");
         }
+        $csrf_token = _req('token');
+        if (!Csrf::check($csrf_token)) {
+            r2(U . 'customers', 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
+        }
 
         $cs = ORM::for_table('tbl_customers')
             ->select('tbl_customers.id', 'id')
@@ -153,6 +157,7 @@ switch ($action) {
         }
         $ui->assign('xheader', $leafletpickerHeader);
         run_hook('view_add_customer'); #HOOK
+        $ui->assign('csrf_token',  Csrf::generateAndStoreToken());
         $ui->display('customers-add.tpl');
         break;
     case 'recharge':
@@ -161,6 +166,10 @@ switch ($action) {
         }
         $id_customer = $routes['2'];
         $plan_id = $routes['3'];
+        $csrf_token = _req('token');
+        if (!Csrf::check($csrf_token)) {
+            r2(U . 'customers/view/' . $id_customer, 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
+        }
         $b = ORM::for_table('tbl_user_recharges')->where('customer_id', $id_customer)->where('plan_id', $plan_id)->find_one();
         if ($b) {
             $gateway = 'Recharge';
@@ -199,6 +208,7 @@ switch ($action) {
             $ui->assign('channel', $channel);
             $ui->assign('server', $b['routers']);
             $ui->assign('plan', $plan);
+            $ui->assign('csrf_token',  Csrf::generateAndStoreToken());
             $ui->display('recharge-confirm.tpl');
         } else {
             r2(U . 'customers/view/' . $id_customer, 'e', 'Cannot find active plan');
@@ -210,6 +220,10 @@ switch ($action) {
         }
         $id_customer = $routes['2'];
         $plan_id = $routes['3'];
+        $csrf_token = _req('token');
+        if (!Csrf::check($csrf_token)) {
+            r2(U . 'customers/view/' . $id_customer, 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
+        }
         $b = ORM::for_table('tbl_user_recharges')->where('customer_id', $id_customer)->where('plan_id', $plan_id)->find_one();
         if ($b) {
             $p = ORM::for_table('tbl_plans')->where('id', $b['plan_id'])->find_one();
@@ -238,6 +252,10 @@ switch ($action) {
         break;
     case 'sync':
         $id_customer = $routes['2'];
+        $csrf_token = _req('token');
+        if (!Csrf::check($csrf_token)) {
+            r2(U . 'customers/view/' . $id_customer, 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
+        }
         $bs = ORM::for_table('tbl_user_recharges')->where('customer_id', $id_customer)->where('status', 'on')->findMany();
         if ($bs) {
             $routers = [];
@@ -266,8 +284,12 @@ switch ($action) {
             _alert(Lang::T('You do not have permission to access this page'), 'danger', "dashboard");
         }
         $id = $routes['2'];
+        $csrf_token = _req('token');
+        if (!Csrf::check($csrf_token)) {
+            r2(U . 'customers/view/' . $id, 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
+        }
         $customer = ORM::for_table('tbl_customers')->find_one($id);
-        if($customer){
+        if ($customer) {
             $_SESSION['uid'] = $id;
             User::setCookie($id);
             _alert("You are logging in as $customer[fullname],<br>don't logout just close tab.", 'info', "home", 10);
@@ -308,6 +330,7 @@ switch ($action) {
             $ui->assign('d', $customer);
             $ui->assign('customFields', $customFields);
             $ui->assign('xheader', $leafletpickerHeader);
+            $ui->assign('csrf_token',  Csrf::generateAndStoreToken());
             $ui->display('customers-view.tpl');
         } else {
             r2(U . 'customers/list', 'e', Lang::T('Account Not Found'));
@@ -318,6 +341,10 @@ switch ($action) {
             _alert(Lang::T('You do not have permission to access this page'), 'danger', "dashboard");
         }
         $id = $routes['2'];
+        $csrf_token = _req('token');
+        if (!Csrf::check($csrf_token)) {
+            r2(U . 'customers/view/' . $id, 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
+        }
         run_hook('edit_customer'); #HOOK
         $d = ORM::for_table('tbl_customers')->find_one($id);
         // Fetch the Customers Attributes values from the tbl_customers_fields table
@@ -329,6 +356,7 @@ switch ($action) {
             $ui->assign('statuses', ORM::for_table('tbl_customers')->getEnum("status"));
             $ui->assign('customFields', $customFields);
             $ui->assign('xheader', $leafletpickerHeader);
+            $ui->assign('csrf_token',  Csrf::generateAndStoreToken());
             $ui->display('customers-edit.tpl');
         } else {
             r2(U . 'customers/list', 'e', Lang::T('Account Not Found'));
@@ -340,6 +368,10 @@ switch ($action) {
             _alert(Lang::T('You do not have permission to access this page'), 'danger', "dashboard");
         }
         $id = $routes['2'];
+        $csrf_token = _req('token');
+        if (!Csrf::check($csrf_token)) {
+            r2(U . 'customers/view/' . $id, 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
+        }
         run_hook('delete_customer'); #HOOK
         $c = ORM::for_table('tbl_customers')->find_one($id);
         if ($c) {
@@ -375,6 +407,11 @@ switch ($action) {
         break;
 
     case 'add-post':
+
+        $csrf_token = _post('csrf_token');
+        if (!Csrf::check($csrf_token)) {
+            r2(U . 'customers/add', 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
+        }
         $username = alphanumeric(_post('username'), ":+_.@-");
         $fullname = _post('fullname');
         $password = trim(_post('password'));
@@ -499,6 +536,11 @@ switch ($action) {
         break;
 
     case 'edit-post':
+        $id = _post('id');
+        $csrf_token = _post('csrf_token');
+        if (!Csrf::check($csrf_token)) {
+            r2(U . 'customers/edit/' . $id, 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
+        }
         $username = alphanumeric(_post('username'), ":+_.@-");
         $fullname = _post('fullname');
         $account_type = _post('account_type');
@@ -526,7 +568,6 @@ switch ($action) {
             $msg .= 'Full Name should be between 2 to 25 characters' . '<br>';
         }
 
-        $id = _post('id');
         $c = ORM::for_table('tbl_customers')->find_one($id);
 
         if (!$c) {
@@ -551,8 +592,8 @@ switch ($action) {
             if (ORM::for_table('tbl_customers')->where('username', $username)->find_one()) {
                 $msg .= Lang::T('Username already used by another customer') . '<br>';
             }
-            if(ORM::for_table('tbl_customers')->where('pppoe_username', $username)->find_one()){
-                $msg.= Lang::T('Username already used by another pppoe username customer') . '<br>';
+            if (ORM::for_table('tbl_customers')->where('pppoe_username', $username)->find_one()) {
+                $msg .= Lang::T('Username already used by another pppoe username customer') . '<br>';
             }
             $userDiff = true;
         }
@@ -659,13 +700,13 @@ switch ($action) {
                                     (new $p['device'])->change_username($p, $oldusername, $username);
                                 }
                                 if ($pppoeDiff && $tur['type'] == 'PPPOE') {
-                                    if(empty($oldPppoeUsername) && !empty($pppoe_username)){
+                                    if (empty($oldPppoeUsername) && !empty($pppoe_username)) {
                                         // admin just add pppoe username
                                         (new $p['device'])->change_username($p, $username, $pppoe_username);
-                                    }else if(empty($pppoe_username) && !empty($oldPppoeUsername)){
+                                    } else if (empty($pppoe_username) && !empty($oldPppoeUsername)) {
                                         // admin want to use customer username
                                         (new $p['device'])->change_username($p, $oldPppoeUsername, $username);
-                                    }else{
+                                    } else {
                                         // regular change pppoe username
                                         (new $p['device'])->change_username($p, $oldPppoeUsername, $pppoe_username);
                                     }
@@ -715,6 +756,10 @@ switch ($action) {
             $query->order_by_desc($order);
         }
         if (_post('export', '') == 'csv') {
+            $csrf_token = _post('csrf_token');
+            if (!Csrf::check($csrf_token)) {
+                r2(U . 'customers', 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
+            }
             $d = $query->findMany();
             $h = false;
             set_time_limit(-1);
@@ -764,6 +809,7 @@ switch ($action) {
         $ui->assign('order', $order);
         $ui->assign('order_pos', $order_pos[$order]);
         $ui->assign('orderby', $orderby);
+        $ui->assign('csrf_token',  Csrf::generateAndStoreToken());
         $ui->display('customers.tpl');
         break;
 }
diff --git a/system/controllers/register.php b/system/controllers/register.php
index 9d5bce14..923274a1 100644
--- a/system/controllers/register.php
+++ b/system/controllers/register.php
@@ -22,7 +22,7 @@ switch ($do) {
         $password = _post('password');
         $cpassword = _post('cpassword');
         $address = _post('address');
-        
+
         // Separate phone number input if OTP is required
         if (!empty($config['sms_url']) && $_c['sms_otp_registration'] == 'yes') {
             $phone_number = alphanumeric(_post('phone_number'), "+_.@-");
@@ -81,7 +81,7 @@ switch ($do) {
         if ($d) {
             $msg .= Lang::T('Account already exists') . '<br>';
         }
-        
+
         if ($msg == '') {
             run_hook('register_user'); #HOOK
             $d = ORM::for_table('tbl_customers')->create();
diff --git a/system/lan/indonesia.json b/system/lan/indonesia.json
index 90d7a515..640c3c20 100644
--- a/system/lan/indonesia.json
+++ b/system/lan/indonesia.json
@@ -745,5 +745,11 @@
     "Limit": "Membatasi",
     "Create_expired_Internet_Package": "Buat Paket Internet yang Kedaluwarsa",
     "When_customer_expired__you_can_move_it_to_Expired_Internet_Package": "Ketika pelanggan telah kedaluwarsa, Anda dapat memindahkannya ke Paket Internet Kedaluwarsa",
-    "Miscellaneous_Settings": "Pengaturan Lain-Lain"
+    "Miscellaneous_Settings": "Pengaturan Lain-Lain",
+    "Minute": "Menit",
+    "Hour": "Jam",
+    "Buy_Balance_Plans": "Beli Paket Saldo",
+    "New_Voucher_for_10mbps_Created": "Voucher Baru untuk 10mbps Dibuat",
+    "Previous": "Sebelumnya",
+    "Share": "Membagikan"
 }
\ No newline at end of file
diff --git a/ui/ui/customers-add.tpl b/ui/ui/customers-add.tpl
index 893fe24e..cc2ff88c 100644
--- a/ui/ui/customers-add.tpl
+++ b/ui/ui/customers-add.tpl
@@ -1,6 +1,7 @@
 {include file="sections/header.tpl"}
 
 <form class="form-horizontal" method="post" role="form" action="{$_url}customers/add-post">
+    <input type="hidden" name="csrf_token" value="{$csrf_token}">
     <div class="row">
         <div class="col-md-6">
             <div class="panel panel-primary panel-hovered panel-stacked mb30">
diff --git a/ui/ui/customers-edit.tpl b/ui/ui/customers-edit.tpl
index d85a26df..c7dd43bc 100644
--- a/ui/ui/customers-edit.tpl
+++ b/ui/ui/customers-edit.tpl
@@ -1,6 +1,7 @@
 {include file="sections/header.tpl"}
 
 <form class="form-horizontal" method="post" role="form" action="{$_url}customers/edit-post">
+    <input type="hidden" name="csrf_token" value="{$csrf_token}">
     <div class="row">
         <div class="col-md-6">
             <div
diff --git a/ui/ui/customers-view.tpl b/ui/ui/customers-view.tpl
index af7612be..73e66761 100644
--- a/ui/ui/customers-view.tpl
+++ b/ui/ui/customers-view.tpl
@@ -111,12 +111,12 @@
                 </ul>
                 <div class="row">
                     <div class="col-xs-4">
-                        <a href="{$_url}customers/delete/{$d['id']}" id="{$d['id']}"
+                        <a href="{$_url}customers/delete/{$d['id']}&token={$csrf_token}" id="{$d['id']}"
                             class="btn btn-danger btn-block btn-sm"
                             onclick="return confirm('{Lang::T('Delete')}?')"><span class="fa fa-trash"></span></a>
                     </div>
                     <div class="col-xs-8">
-                        <a href="{$_url}customers/edit/{$d['id']}"
+                        <a href="{$_url}customers/edit/{$d['id']}&token={$csrf_token}"
                             class="btn btn-warning btn-sm btn-block">{Lang::T('Edit')}</a>
                     </div>
                 </div>
@@ -239,12 +239,12 @@
                         </ul>
                         <div class="row">
                             <div class="col-xs-4">
-                                <a href="{$_url}customers/deactivate/{$d['id']}/{$package['plan_id']}" id="{$d['id']}"
+                                <a href="{$_url}customers/deactivate/{$d['id']}/{$package['plan_id']}&token={$csrf_token}" id="{$d['id']}"
                                     class="btn btn-danger btn-block btn-sm"
                                     onclick="return confirm('This will deactivate Customer Plan, and make it expired')">{Lang::T('Deactivate')}</a>
                             </div>
                             <div class="col-xs-8">
-                                <a href="{$_url}customers/recharge/{$d['id']}/{$package['plan_id']}"
+                                <a href="{$_url}customers/recharge/{$d['id']}/{$package['plan_id']}&token={$csrf_token}"
                                     class="btn btn-success btn-sm btn-block">{Lang::T('Recharge')}</a>
                             </div>
                         </div>
@@ -261,16 +261,16 @@
         <a href="{$_url}customers/list" class="btn btn-primary btn-sm btn-block">{Lang::T('Back')}</a>
     </div>
     <div class="col-xs-6 col-md-3">
-        <a href="{$_url}customers/sync/{$d['id']}" onclick="return confirm('This will sync Customer to Mikrotik?')"
+        <a href="{$_url}customers/sync/{$d['id']}&token={$csrf_token}" onclick="return confirm('This will sync Customer to Mikrotik?')"
             class="btn btn-info btn-sm btn-block">{Lang::T('Sync')}</a>
     </div>
     <div class="col-xs-6 col-md-3">
-        <a href="{$_url}message/send/{$d['id']}" class="btn btn-success btn-sm btn-block">
+        <a href="{$_url}message/send/{$d['id']}&token={$csrf_token}" class="btn btn-success btn-sm btn-block">
             {Lang::T('Send Message')}
         </a>
     </div>
     <div class="col-xs-6 col-md-3">
-        <a href="{$_url}customers/login/{$d['id']}" target="_blank" class="btn btn-warning btn-sm btn-block">
+        <a href="{$_url}customers/login/{$d['id']}&token={$csrf_token}" target="_blank" class="btn btn-warning btn-sm btn-block">
             {Lang::T('Login as Customer')}
         </a>
     </div>
diff --git a/ui/ui/customers.tpl b/ui/ui/customers.tpl
index 7bb00743..1e8b2999 100644
--- a/ui/ui/customers.tpl
+++ b/ui/ui/customers.tpl
@@ -17,7 +17,7 @@
             <div class="panel-heading">
                 {if in_array($_admin['user_type'],['SuperAdmin','Admin'])}
                     <div class="btn-group pull-right">
-                        <a class="btn btn-primary btn-xs" title="save" href="{$_url}customers/csv"
+                        <a class="btn btn-primary btn-xs" title="save" href="{$_url}customers/csv&token={$csrf_token}"
                             onclick="return confirm('This will export to CSV?')"><span class="glyphicon glyphicon-download"
                                 aria-hidden="true"></span> CSV</a>
                     </div>
@@ -26,6 +26,7 @@
             </div>
             <div class="panel-body">
                 <form id="site-search" method="post" action="{$_url}customers">
+                 <input type="hidden" name="csrf_token" value="{$csrf_token}">
                     <div class="md-whiteframe-z1 mb20 text-center" style="padding: 15px">
                         <div class="col-lg-4">
                             <div class="input-group">
@@ -147,13 +148,13 @@
                                         <a href="{$_url}customers/view/{$ds['id']}" id="{$ds['id']}"
                                             style="margin: 0px; color:black"
                                             class="btn btn-success btn-xs">&nbsp;&nbsp;{Lang::T('View')}&nbsp;&nbsp;</a>
-                                        <a href="{$_url}customers/edit/{$ds['id']}" id="{$ds['id']}"
+                                        <a href="{$_url}customers/edit/{$ds['id']}&token={$csrf_token}" id="{$ds['id']}"
                                             style="margin: 0px; color:black"
                                             class="btn btn-info btn-xs">&nbsp;&nbsp;{Lang::T('Edit')}&nbsp;&nbsp;</a>
-                                        <a href="{$_url}customers/sync/{$ds['id']}" id="{$ds['id']}"
+                                        <a href="{$_url}customers/sync/{$ds['id']}&token={$csrf_token}" id="{$ds['id']}"
                                             style="margin: 5px; color:black"
                                             class="btn btn-success btn-xs">&nbsp;&nbsp;{Lang::T('Sync')}&nbsp;&nbsp;</a>
-                                        <a href="{$_url}plan/recharge/{$ds['id']}" id="{$ds['id']}" style="margin: 0px;"
+                                        <a href="{$_url}plan/recharge/{$ds['id']}&token={$csrf_token}" id="{$ds['id']}" style="margin: 0px;"
                                             class="btn btn-primary btn-xs">{Lang::T('Recharge')}</a>
                                     </td>
                                 </tr>
diff --git a/ui/ui/sections/header.tpl b/ui/ui/sections/header.tpl
index 17fd0dc0..d98b4641 100644
--- a/ui/ui/sections/header.tpl
+++ b/ui/ui/sections/header.tpl
@@ -276,6 +276,10 @@
             font-weight: bold;
         }
 
+         .box.box-solid.box-primary > .box-header .btn {
+            color: inherit;
+        }
+
         .box-header>.fa,
         .box-header>.glyphicon,
         .box-header>.ion,