diff --git a/list.php b/list.php
index c85523f9..1e4c350a 100644
--- a/list.php
+++ b/list.php
@@ -10,6 +10,13 @@ function getFullName() {
     else
         echo "Blacklist";
 }
+
+// Generate CSRF token
+session_start();
+if(empty($_SESSION['token'])) {
+    $_SESSION['token'] = base64_encode(openssl_random_pseudo_bytes(32));
+}
+$token = $_SESSION['token'];
 ?>
 
 <!-- Title -->
@@ -86,8 +93,8 @@ require "footer.php";
         document.getElementById("alFailure").hidden = true;
         $.ajax({
             url: "php/add.php",
-            method: "get",
-            data: {"domain":domain, "list":"<?php echo $list ?>"},
+            method: "post",
+            data: {"domain":domain, "list":"<?php echo $list ?>", "token":"<?php echo $token ?>"},
             success: function(response) {
                 if(response.length !== 0)
                     return;
@@ -104,8 +111,8 @@ require "footer.php";
         $("#"+index).hide("highlight");
         $.ajax({
             url: "php/sub.php",
-            method: "get",
-            data: {"domain":entry, "list":"<?php echo $list ?>"},
+            method: "post",
+            data: {"domain":entry, "list":"<?php echo $list ?>", "token":"<?php echo $token ?>"},
             success: function(response) {
                 if(response.length !== 0)
                     return;
diff --git a/php/add.php b/php/add.php
index 2e84f944..e959fdac 100644
--- a/php/add.php
+++ b/php/add.php
@@ -1,12 +1,18 @@
 <?php
-if(!isset($_GET['domain'], $_GET['list']))
+if(!isset($_POST['domain'], $_POST['list'], $_POST['token']))
     die();
 
-switch($_GET['list']) {
+session_start();
+
+// Check CSRF token
+if(!hash_equals($_SESSION['token'], $_POST['token']))
+    die("Wrong token!");
+
+switch($_POST['list']) {
     case "white":
-        exec("sudo pihole -w -q ${_GET['domain']}");
+        exec("sudo pihole -w -q ${_POST['domain']}");
         break;
     case "black":
-        exec("sudo pihole -b -q ${_GET['domain']}");
+        exec("sudo pihole -b -q ${_POST['domain']}");
         break;
 }
diff --git a/php/sub.php b/php/sub.php
index ba3f7145..b6c616e8 100644
--- a/php/sub.php
+++ b/php/sub.php
@@ -1,12 +1,18 @@
 <?php
-if(!isset($_GET['domain'], $_GET['list']))
+if(!isset($_POST['domain'], $_POST['list'], $_POST['token']))
     die();
 
-switch($_GET['list']) {
+session_start();
+
+// Check CSRF token
+if(!hash_equals($_SESSION['token'], $_POST['token']))
+    die("Wrong token!");
+
+switch($_POST['list']) {
     case "white":
-        exec("sudo pihole -w -q -d ${_GET['domain']}");
+        exec("sudo pihole -w -q -d ${_POST['domain']}");
         break;
     case "black":
-        exec("sudo pihole -b -q -d ${_GET['domain']}");
+        exec("sudo pihole -b -q -d ${_POST['domain']}");
         break;
 }