diff --git a/controllers/page.go b/controllers/page.go
index b438583..d03b0fc 100644
--- a/controllers/page.go
+++ b/controllers/page.go
@@ -7,6 +7,8 @@ import (
 	"goweb/msg"
 	"goweb/pager"
 
+	"github.com/labstack/echo/v4/middleware"
+
 	"github.com/labstack/echo/v4"
 )
 
@@ -31,6 +33,7 @@ type Page struct {
 		Keywords    []string
 	}
 	Pager pager.Pager
+	CSRF  string
 }
 
 func NewPage(c echo.Context) Page {
@@ -44,6 +47,10 @@ func NewPage(c echo.Context) Page {
 
 	p.IsHome = p.Path == "/"
 
+	if csrf := c.Get(middleware.DefaultCSRFConfig.ContextKey); csrf != nil {
+		p.CSRF = csrf.(string)
+	}
+
 	return p
 }
 
diff --git a/router/router.go b/router/router.go
index a80c507..5fd4b20 100644
--- a/router/router.go
+++ b/router/router.go
@@ -26,6 +26,9 @@ func BuildRouter(c *container.Container) {
 	// TODO: needs cache control headers
 	c.Web.Use(middleware.Static(StaticDir))
 	c.Web.Use(session.Middleware(sessions.NewCookieStore([]byte(c.Config.App.EncryptionKey))))
+	c.Web.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
+		TokenLookup: "form:csrf",
+	}))
 
 	// Base controller
 	ctr := controllers.NewController(c)
diff --git a/views/components/forms.gohtml b/views/components/forms.gohtml
new file mode 100644
index 0000000..3a6d15e
--- /dev/null
+++ b/views/components/forms.gohtml
@@ -0,0 +1,3 @@
+{{define "csrf"}}
+    <input type="hidden" name="csrf" value="{{.CSRF}}"/>
+{{end}}
\ No newline at end of file
diff --git a/views/pages/contact.gohtml b/views/pages/contact.gohtml
index 141d4d4..8882c19 100644
--- a/views/pages/contact.gohtml
+++ b/views/pages/contact.gohtml
@@ -3,5 +3,6 @@
         <label for="message">Message</label>
         <textarea id="message"></textarea>
         <input type="submit" value="Send"/>
+        {{template "csrf" .}}
     </form>
 {{end}}
\ No newline at end of file