diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 57ce1de3..ef824e7f 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -5,6 +5,10 @@ Changelog
 Not yet released
 ----------------
 
+v3.3.2 (released November 22, 2018)
+--------------------------------
+* #679: Fixed CSRF vulnerability, added CSRF-token to delete-URLs.
+
 v3.3.1 (released August 10, 2018)
 --------------------------------
 
diff --git a/README.rst b/README.rst
index c3a86aab..be39c348 100755
--- a/README.rst
+++ b/README.rst
@@ -5,7 +5,7 @@ PHP Server Monitor
    :alt: Join the chat at https://gitter.im/erickrf/nlpnet
    :target: https://gitter.im/phpservermon/phpservermon
 
-Version 3.3.0
+Version 3.3.2
 
 
 PHP Server Monitor is a script that checks whether your websites and servers are up and running.
diff --git a/src/includes/psmconfig.inc.php b/src/includes/psmconfig.inc.php
index 51753238..d575b301 100644
--- a/src/includes/psmconfig.inc.php
+++ b/src/includes/psmconfig.inc.php
@@ -29,7 +29,7 @@
 /**
  * Current PSM version
  */
-define('PSM_VERSION', '3.3.1');
+define('PSM_VERSION', '3.3.2');
 
 /**
  * URL to check for updates. Will not be checked if turned off on config page.
diff --git a/src/psm/Router.php b/src/psm/Router.php
index 782a9a88..04f52dbe 100644
--- a/src/psm/Router.php
+++ b/src/psm/Router.php
@@ -175,6 +175,25 @@ class Router {
 				}
 			}
 		}
+		if ($request->getMethod() == 'GET' && $request->query->get('action', '') == "delete") {
+			// require CSRF token for all GET calls that delete something
+			$session = $this->container->get('user')->getSession();
+			$token_in = $request->query->get('csrf', '');
+			$csrf_key = $controller->getCSRFKey();
+
+			if (empty($csrf_key)) {
+				if (!hash_equals($session->get('csrf_token'), $token_in)) {
+					throw new \InvalidArgumentException('invalid_csrf_token');
+				}
+			} else {
+				if (!hash_equals(
+					hash_hmac('sha256', $csrf_key, $session->get('csrf_token2')),
+					$token_in
+				)) {
+					throw new \InvalidArgumentException('invalid_csrf_token');
+				}
+			}
+		}
 
 		// get min required level for this controller and make sure the user matches
 		$min_lvl = $controller->getMinUserLevelRequired();
diff --git a/src/templates/default/main/macros.tpl.html b/src/templates/default/main/macros.tpl.html
index 47fb8fcc..63d6dca1 100644
--- a/src/templates/default/main/macros.tpl.html
+++ b/src/templates/default/main/macros.tpl.html
@@ -1,3 +1,7 @@
 {% macro csrf_input() %}
 <input type="hidden" name="csrf" value="{{ csrf_token(csrf_key|default('')) }}" />
+{% endmacro %}
+
+{% macro csrf_query() %}
+&csrf={{ csrf_token(csrf_key|default('')) }}
 {% endmacro %}
\ No newline at end of file
diff --git a/src/templates/default/module/server/log.tpl.html b/src/templates/default/module/server/log.tpl.html
index 6edfb760..27191640 100644
--- a/src/templates/default/module/server/log.tpl.html
+++ b/src/templates/default/module/server/log.tpl.html
@@ -1,5 +1,6 @@
+{% import 'main/macros.tpl.html' as macro %}
 {% if has_admin_actions %}
-<a class="btn btn-danger show-modal" href="{{ url_delete|raw }}" title="Delete" data-modal-id="delete" data-modal-param="{{ label }}">
+<a class="btn btn-danger show-modal" href="{{ url_delete|raw }}{{ macro.csrf_query() }}" title="Delete" data-modal-id="delete" data-modal-param="{{ label }}">
 	<i class="icon-trash icon-white"></i>&nbsp;{{ label_clear_log }}
 </a>
 <br><br>
diff --git a/src/templates/default/module/server/server/list.tpl.html b/src/templates/default/module/server/server/list.tpl.html
index 9ab2ec66..acb6daa1 100644
--- a/src/templates/default/module/server/server/list.tpl.html
+++ b/src/templates/default/module/server/server/list.tpl.html
@@ -1,3 +1,4 @@
+{% import 'main/macros.tpl.html' as macro %}
 <table class="table table-bordered table-striped">
 	<thead>
 		<tr>
@@ -39,7 +40,7 @@
 					<a class="btn btn-small" href="{{ server.url_view|raw }}"><i class="icon-chart"></i></a>
 					{% if user_level == 10 %}
 						<a class="btn btn-small" href="{{ server.url_edit|raw }}" title="{{ label_edit }}"><i class="icon-pencil"></i></a>
-						<a class="btn btn-small btn-danger show-modal" href="{{ server.url_delete|raw }}" title="{{ label_delete }}" data-modal-id="delete" data-modal-param="{{ server.label }}"><i class="icon-remove icon-white"></i></a>
+						<a class="btn btn-small btn-danger show-modal" href="{{ server.url_delete|raw }}{{ macro.csrf_query() }}" title="{{ label_delete }}" data-modal-id="delete" data-modal-param="{{ server.label }}"><i class="icon-remove icon-white"></i></a>
 					{% endif %}
 				</div>
 			</td>
@@ -53,7 +54,7 @@
 						&nbsp;<a class="btn btn-small" href="{{ server.url_view|raw }}"><i class="icon-chart"></i></a>
 						{% if user_level == 10 %}
 							<a class="btn btn-small" href="{{ server.url_edit|raw }}" title="{{ label_edit }}"><i class="icon-pencil"></i></a>
-							<a class="btn btn-small btn-danger show-modal" href="{{ server.url_delete|raw }}" title="{{ label_delete }}" data-modal-id="delete" data-modal-param="{{ server.label }}"><i class="icon-remove icon-white"></i></a>
+							<a class="btn btn-small btn-danger show-modal" href="{{ server.url_delete|raw }}{{ macro.csrf_query() }}" title="{{ label_delete }}" data-modal-id="delete" data-modal-param="{{ server.label }}"><i class="icon-remove icon-white"></i></a>
 						{% endif %}
 					</div>
 				</div>
diff --git a/src/templates/default/module/server/server/view.tpl.html b/src/templates/default/module/server/server/view.tpl.html
index af5224ea..bf1939d1 100644
--- a/src/templates/default/module/server/server/view.tpl.html
+++ b/src/templates/default/module/server/server/view.tpl.html
@@ -1,3 +1,4 @@
+{% import 'main/macros.tpl.html' as macro %}
 <table class="table table-bordered">
 	<colgroup>
 		<col class="oce-first" />
@@ -100,7 +101,7 @@
 				<a class="btn btn-success" href="{{ url_edit|raw }}">
 					<i class="icon-edit icon-white"></i>&nbsp;{{ label_edit }}
 				</a>
-				<a class="btn btn-danger show-modal" href="{{ url_delete|raw }}" data-modal-id="delete" data-modal-param="{{ label }}">
+				<a class="btn btn-danger show-modal" href="{{ url_delete|raw }}{{ macro.csrf_query() }}" data-modal-id="delete" data-modal-param="{{ label }}">
 					<i class="icon-remove icon-white"></i>&nbsp;{{ label_delete }}
 				</a>
 			</td>
diff --git a/src/templates/default/module/user/user/list.tpl.html b/src/templates/default/module/user/user/list.tpl.html
index d76e530c..df0a39b4 100644
--- a/src/templates/default/module/user/user/list.tpl.html
+++ b/src/templates/default/module/user/user/list.tpl.html
@@ -1,3 +1,4 @@
+{% import 'main/macros.tpl.html' as macro %}
 <table class="table table-bordered table-striped">
 	<thead>
 		<tr>
@@ -33,7 +34,7 @@
 						<a class="btn btn-small" href="{{ user.url_edit|raw }}" title="{{ user.label_edit }}">
 							<i class="icon-pencil"></i>
 						</a>
-						<a class="btn btn-small btn-danger show-modal" href="{{ user.url_delete|raw }}" title="{{ label_delete }}" data-modal-id="delete" data-modal-param="{{ user.user_name }}">
+						<a class="btn btn-small btn-danger show-modal" href="{{ user.url_delete|raw }}{{ macro.csrf_query() }}" title="{{ label_delete }}" data-modal-id="delete" data-modal-param="{{ user.user_name }}">
 							<i class="icon-remove icon-white"></i>
 						</a>
 					</div>
@@ -56,7 +57,7 @@
 			<a class="btn btn-small" href="{{ user.url_edit|raw }}" title="{{ label_edit }}">
 				<i class="icon-pencil"></i>
 			</a>
-			<a class="btn btn-small btn-danger show-modal" href="{{ user.url_delete|raw }}" title="{{ label_delete }}" data-modal-id="delete" data-modal-param="{{ user.user_name }}">
+			<a class="btn btn-small btn-danger show-modal" href="{{ user.url_delete|raw }}{{ macro.csrf_query() }}" title="{{ label_delete }}" data-modal-id="delete" data-modal-param="{{ user.user_name }}">
 				<i class="icon-remove icon-white"></i>
 			</a>
 		</td>