diff --git a/src/messenger/webim/operator/ban.php b/src/messenger/webim/operator/ban.php
index bdc798d3..f8cb7a59 100644
--- a/src/messenger/webim/operator/ban.php
+++ b/src/messenger/webim/operator/ban.php
@@ -21,6 +21,8 @@ require_once('../libs/operator.php');
 require_once('../libs/pagination.php');
 
 $operator = check_login();
+csrfchecktoken();
+
 $page = array('banId' => '');
 $page['saved'] = false;
 $page['thread'] = '';
diff --git a/src/messenger/webim/operator/blocked.php b/src/messenger/webim/operator/blocked.php
index 25e7290a..3a768c28 100644
--- a/src/messenger/webim/operator/blocked.php
+++ b/src/messenger/webim/operator/blocked.php
@@ -21,6 +21,8 @@ require_once('../libs/operator.php');
 require_once('../libs/pagination.php');
 
 $operator = check_login();
+csrfchecktoken();
+
 $page = array();
 $errors = array();
 
diff --git a/src/messenger/webim/operator/groupmembers.php b/src/messenger/webim/operator/groupmembers.php
index 410ed65b..4f8e7bff 100644
--- a/src/messenger/webim/operator/groupmembers.php
+++ b/src/messenger/webim/operator/groupmembers.php
@@ -20,6 +20,7 @@ require_once('../libs/operator.php');
 require_once('../libs/groups.php');
 
 $operator = check_login();
+csrfchecktoken();
 
 function get_group_members($groupid)
 {
diff --git a/src/messenger/webim/operator/groups.php b/src/messenger/webim/operator/groups.php
index b8bbaa3a..e2cde72d 100644
--- a/src/messenger/webim/operator/groups.php
+++ b/src/messenger/webim/operator/groups.php
@@ -19,6 +19,7 @@ require_once('../libs/common.php');
 require_once('../libs/operator.php');
 
 $operator = check_login();
+csrfchecktoken();
 
 if (isset($_GET['act']) && $_GET['act'] == 'del') {
 
diff --git a/src/messenger/webim/operator/opgroups.php b/src/messenger/webim/operator/opgroups.php
index 5b203e3c..5bf29038 100644
--- a/src/messenger/webim/operator/opgroups.php
+++ b/src/messenger/webim/operator/opgroups.php
@@ -20,6 +20,7 @@ require_once('../libs/operator.php');
 require_once('../libs/operator_settings.php');
 
 $operator = check_login();
+csrfchecktoken();
 
 function update_operator_groups($operatorid, $newvalue)
 {
diff --git a/src/messenger/webim/view/ban.php b/src/messenger/webim/view/ban.php
index e5bae6b1..4be3b462 100644
--- a/src/messenger/webim/view/ban.php
+++ b/src/messenger/webim/view/ban.php
@@ -42,6 +42,7 @@ require_once('inc_errors.php');
 <?php } ?>
 
 <form name="banForm" method="post" action="<?php echo $webimroot ?>/operator/ban.php">
+<?php print_csrf_token_input() ?>
 <input type="hidden" name="banId" value="<?php echo htmlspecialchars($page['banId']) ?>"/>
 <?php if( $page['threadid'] ) { ?>
 <input type="hidden" name="threadid" value="<?php echo htmlspecialchars($page['threadid']) ?>"/>
diff --git a/src/messenger/webim/view/blocked_visitors.php b/src/messenger/webim/view/blocked_visitors.php
index a65d4a55..4f333e66 100644
--- a/src/messenger/webim/view/blocked_visitors.php
+++ b/src/messenger/webim/view/blocked_visitors.php
@@ -81,7 +81,7 @@ if( $page['pagination.items'] ) {
 ?>
 	</td>
 	<td>
-		<a class="removelink" id="i<?php echo htmlspecialchars($b['banid']) ?>" href="<?php echo $webimroot ?>/operator/blocked.php?act=del&amp;id=<?php echo urlencode($b['banid']) ?>">
+		<a class="removelink" id="i<?php echo htmlspecialchars($b['banid']) ?>" href="<?php echo $webimroot ?>/operator/blocked.php?act=del&amp;id=<?php echo urlencode($b['banid']) ?><?php print_csrf_token_in_url() ?>">
 			remove
 		</a>
 	</td>
diff --git a/src/messenger/webim/view/group.php b/src/messenger/webim/view/group.php
index 13af0398..e0f7fc62 100644
--- a/src/messenger/webim/view/group.php
+++ b/src/messenger/webim/view/group.php
@@ -40,6 +40,7 @@ require_once('inc_errors.php');
 <?php } ?>
 
 <form name="groupForm" method="post" action="<?php echo $webimroot ?>/operator/group.php">
+<?php print_csrf_token_input() ?>
 <input type="hidden" name="gid" value="<?php echo htmlspecialchars($page['grid']) ?>"/>
 	<div>
 <?php print_tabbar(); ?>
diff --git a/src/messenger/webim/view/groups.php b/src/messenger/webim/view/groups.php
index 25b8aa9a..12d2b47e 100644
--- a/src/messenger/webim/view/groups.php
+++ b/src/messenger/webim/view/groups.php
@@ -91,7 +91,7 @@ if(count($page['groups']) > 0) {
 	</td>
 <?php if($page['canmodify']) { ?>
 	<td>
-		<a href="<?php echo $webimroot ?>/operator/groups.php?act=del&amp;gid=<?php echo urlencode($grp['groupid']) ?>" id="i<?php echo htmlspecialchars($grp['groupid']) ?>" class="removelink">
+		<a href="<?php echo $webimroot ?>/operator/groups.php?act=del&amp;gid=<?php echo urlencode($grp['groupid']) ?><?php print_csrf_token_in_url() ?>" id="i<?php echo htmlspecialchars($grp['groupid']) ?>" class="removelink">
 			remove
 		</a>
 	</td>