diff --git a/op/op.Settings.php b/op/op.Settings.php
index 8b3772e19..ca550b1e0 100644
--- a/op/op.Settings.php
+++ b/op/op.Settings.php
@@ -44,6 +44,11 @@ if (!$user->isAdmin()) {
 	UI::exitError(getMLText("admin_tools"),getMLText("access_denied"));
 }
 
+/* Check if the form data comes from a trusted request */
+if(!checkFormKey('savesettings')) {
+	UI::exitError(getMLText("folder_title", array("foldername" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
+}
+
 if (isset($_POST["action"])) $action=$_POST["action"];
 else if (isset($_GET["action"])) $action=$_GET["action"];
 else $action=NULL;
diff --git a/views/bootstrap/class.Settings.php b/views/bootstrap/class.Settings.php
index 43928b1ed..8187e7c3f 100644
--- a/views/bootstrap/class.Settings.php
+++ b/views/bootstrap/class.Settings.php
@@ -254,6 +254,7 @@ class SeedDMS_View_Settings extends SeedDMS_Bootstrap_Style {
 
 ?>
   <form action="../op/op.Settings.php" method="post" enctype="multipart/form-data" name="form0" >
+	<?php echo createHiddenFieldWithKey('savesettings'); ?>
   <input type="hidden" name="action" value="saveSettings" />
 	<input type="hidden" id="currenttab" name="currenttab" value="<?php echo $currenttab ? $currenttab : 'site'; ?>" />
 <?php