diff --git a/controllers/C_Document.class.php b/controllers/C_Document.class.php
index a8d82eed6..4c1d83c47 100644
--- a/controllers/C_Document.class.php
+++ b/controllers/C_Document.class.php
@@ -14,6 +14,7 @@
 require_once(dirname(__FILE__) . "/../library/forms.inc");
 require_once(dirname(__FILE__) . "/../library/formatting.inc.php");
 require_once(dirname(__FILE__) . "/../library/classes/postmaster.php" );
+require_once(dirname(__FILE__) . "/../library/sanitize.inc.php" );
 
 class C_Document extends Controller {
 
@@ -170,6 +171,8 @@ function upload_action_process() {
                     if ($_FILES['file']['size'][$key] == 0) {
                         $error .= "The system does not permit uploading files of with size 0.\n";
                     }
+                } elseif (!isSafeFile($_FILES['file']['tmp_name'][$key])) {
+                    $error = xl("The system does not permit uploading files with MIME content type") . " - " . mime_content_type($_FILES['file']['tmp_name'][$key]) . ".\n";
                 } else {
                     $tmpfile = fopen($_FILES['file']['tmp_name'][$key], "r");
                     $filetext = fread($tmpfile, $_FILES['file']['size'][$key]);
diff --git a/interface/billing/edi_history_main.php b/interface/billing/edi_history_main.php
index 1e15f4de5..1195d77f3 100644
--- a/interface/billing/edi_history_main.php
+++ b/interface/billing/edi_history_main.php
@@ -70,6 +70,7 @@
 require_once("$srcdir/edihistory/ibr_ack_read.php");          //dirname(__FILE__) . "/edihist/ibr_ack_read.php");
 require_once("$srcdir/edihistory/ibr_uploads.php");           //dirname(__FILE__) . "/edihist/ibr_uploads.php");
 require_once("$srcdir/edihistory/ibr_io.php");                //dirname(__FILE__) . "/edihist/ibr_io.php");
+require_once("../../library/CsrfToken.php");
 //
 // php may output line endings if include files are utf-8
 ob_clean();
@@ -100,6 +101,14 @@
  */
 
 if (strtolower($_SERVER['REQUEST_METHOD']) == 'post') {
+    if (!empty($_POST)) {
+        if (!isset($_POST['token'])) {
+            error_log('WARNING: A POST request detected with no csrf token found');
+            die('Authentication failed.');
+        } else if (!(CsrfToken::verifyCsrfToken($_POST['token']))) {
+            die('Authentication failed.');
+        }
+    }
     //
     if ( isset($_POST['NewFiles']) ) {
         // process new files button clicked
diff --git a/interface/billing/edih_view.php b/interface/billing/edih_view.php
index dc76f7b7e..af5a45458 100644
--- a/interface/billing/edih_view.php
+++ b/interface/billing/edih_view.php
@@ -75,6 +75,7 @@
                 <legend><?php echo xlt("Select one or more files to upload"); ?></legend>
                 <input id="upload_file" type="file" name="fileUplMulti[]" class="cp-positive" multiple />
                 <input type="submit" name="uplsubmt" class="cp-submit" value="<?php echo xla("Submit"); ?>" />
+                <input type='hidden' name='token' value="<?php echo $_SESSION['token'];?>" />
                 </fieldset>
             </form>
          </td>
@@ -87,6 +88,7 @@
                 <input type="hidden" name="NewFiles" value="ProcessNew">
                 <label for="New-Files">Process New Files:</label>
                 <input id="processfiles"  name="Process" class="cp-output" type="button" value="<?php echo xla("Process"); ?>" />
+                <input type='hidden' name='token' value="<?php echo $_SESSION['token'];?>" />
                 </fieldset>
             </form>
          </td>
@@ -159,6 +161,7 @@
                         -->
                         <td align='center'>
                             <input type="hidden" name="csvshowtable" value="gettable">
+                            <input type='hidden' name='token' value="<?php echo $_SESSION['token'];?>" />
                             <input id="showtable" type="button" class="cp-submit" value="<?php echo xla("Submit"); ?>" />
                         </td>
 
@@ -220,6 +223,7 @@
                 <label for="era_file"><?php echo xlt("Filename"); ?>:</label>
                 <input id="era_file" type="file" size=20 name="fileUplEra" class="cp-positive" />
                 <input type="submit" name="fileERA" class="cp-submit" value="<?php echo xla("Submit"); ?>" />
+                <input type='hidden' name='token' value="<?php echo $_SESSION['token'];?>" />
             </fieldset>
             </form>
         </td>
@@ -236,6 +240,7 @@
             <label for="trace835"><?php echo xlt("Check No"); ?>:</label>
             <input type="text" size=10 name="trace835" value="" />
             <input type="submit" name="subtrace835" class="cp-submit" value="<?php echo xla("Submit"); ?>" />
+            <input type='hidden' name='token' value="<?php echo $_SESSION['token'];?>" />
         </fieldset>
         </form>
         </td>
@@ -253,6 +258,7 @@
                         <label for="enctr"><?php echo xlt("Enter Encounter"); ?>:</label>
                         <input type="text" name="enctrbatch" size=10 value="" />
                         <input type="submit" name="Batch-enctr" class="cp-submit" value="<?php echo xla("Submit"); ?>" />
+                        <input type='hidden' name='token' value="<?php echo $_SESSION['token'];?>" />
                     </fieldset>
                 </form>
               </td>
@@ -263,6 +269,7 @@
                     <label for="enctrERA"><?php echo xlt("Enter Encounter"); ?>:</label>
                     <input type="text" name="enctrEra" size=10 value="" />
                     <input type="submit" name="eraText" class="cp-submit" value="<?php echo xla("Submit"); ?>" />
+                    <input type='hidden' name='token' value="<?php echo $_SESSION['token'];?>" />
                 </fieldset>
                 </form>
               </td>
@@ -275,6 +282,7 @@
                     <label for="x12file"><?php echo xlt("Choose File"); ?>:</label>
                     <input id="x12file" type="file" name="fileUplx12" class="cp-positive" />
                     <input type="submit" name="fileX12" class="cp-submit" value="<?php echo xla("Submit"); ?>" />
+                    <input type='hidden' name='token' value="<?php echo $_SESSION['token'];?>" />
                 </fieldset>
                 </form>
             </td>
@@ -309,6 +317,7 @@
                     <input id="savenotes" type="button" class="cp-submit" value="<?php echo xla("Save"); ?>" />
                     <label for="closenotes"><?php echo xlt("Close"); ?></label>
                     <input id="closenotes" type="button" class="cp-negative" value="<?php echo xla("Close"); ?>" />
+                    <input type='hidden' name='token' value="<?php echo $_SESSION['token'];?>" />
                     </fieldset>
                     </form>
                 </td>
diff --git a/interface/billing/sl_eob_search.php b/interface/billing/sl_eob_search.php
index 9180b8a80..949d4ba2f 100644
--- a/interface/billing/sl_eob_search.php
+++ b/interface/billing/sl_eob_search.php
@@ -470,7 +470,7 @@ function upload_file_to_client_pdf($file_to_send) {
       if ($DEBUG) {
         $alertmsg = xl("Printing skipped; see test output in") .' '. $STMT_TEMP_FILE;
       } else {
-        exec("$STMT_PRINT_CMD $STMT_TEMP_FILE");
+        exec(escapeshellcmd($STMT_PRINT_CMD) . " " . escapeshellarg($STMT_TEMP_FILE));
         if ($_POST['form_without']) {
           $alertmsg = xl('Now printing') .' '. $stmt_count .' '. xl('statements; invoices will not be updated.');
         } else {
@@ -665,7 +665,7 @@ function npopup(pid) {
     // Handle .zip extension if present.  Probably won't work on Windows.
     if (strtolower(substr($_FILES['form_erafile']['name'], -4)) == '.zip') {
       rename($tmp_name, "$tmp_name.zip");
-      exec("unzip -p $tmp_name.zip > $tmp_name");
+      exec("unzip -p " . escapeshellarg($tmp_name . ".zip") . " > " . escapeshellarg($tmp_name));
       unlink("$tmp_name.zip");
     }
 
diff --git a/interface/fax/fax_dispatch.php b/interface/fax/fax_dispatch.php
index e66863fe6..72190abff 100644
--- a/interface/fax/fax_dispatch.php
+++ b/interface/fax/fax_dispatch.php
@@ -64,7 +64,7 @@
 //
 function getKittens($catid, $catstring, &$categories) {
   $cres = sqlStatement("SELECT id, name FROM categories " .
-    "WHERE parent = $catid ORDER BY name");
+    "WHERE parent = ? ORDER BY name", array($catid));
   $childcount = 0;
   while ($crow = sqlFetchArray($cres)) {
     ++$childcount;
@@ -88,7 +88,7 @@ function mergeTiffs() {
     $inames .= ' ' . escapeshellarg("$inbase.tif");
   }
   if (!$inames) die(xl("Internal error - no pages were selected!"));
-  $tmp0 = exec("cd '$faxcache'; tiffcp $inames temp.tif", $tmp1, $tmp2);
+  $tmp0 = exec("cd " . escapeshellarg($faxcache) . "; tiffcp $inames temp.tif", $tmp1, $tmp2);
   if ($tmp2) {
     $msg .= "tiffcp returned $tmp2: $tmp0 ";
   }
@@ -107,7 +107,7 @@ function mergeTiffs() {
     if (!$patient_id) die(xl('Internal error - patient ID was not provided!'));
     // Compute the name of the target directory and make sure it exists.
     $docdir = $GLOBALS['OE_SITE_DIR'] . "/documents/$patient_id";
-    exec("mkdir -p '$docdir'");
+    exec("mkdir -p " . escapeshellarg($docdir));
 
     // If copying to patient documents...
     //
@@ -134,7 +134,7 @@ function mergeTiffs() {
       $info_msg .= mergeTiffs();
       // The -j option here requires that libtiff is configured with libjpeg.
       // It could be omitted, but the output PDFs would then be quite large.
-      $tmp0 = exec("tiff2pdf -j -p letter -o '$target' '$faxcache/temp.tif'", $tmp1, $tmp2);
+      $tmp0 = exec("tiff2pdf -j -p letter -o " . escapeshellarg($target) . " " . escapeshellarg($faxcache . '/temp.tif'), $tmp1, $tmp2);
 
       if ($tmp2) {
         $info_msg .= "tiff2pdf returned $tmp2: $tmp0 ";
@@ -153,10 +153,8 @@ function mergeTiffs() {
         sqlStatement($query);
         $query = "INSERT INTO categories_to_documents ( " .
           "category_id, document_id" .
-          " ) VALUES ( " .
-          "'$catid', '$newid' " .
-          ")";
-        sqlStatement($query);
+          " ) VALUES (?, ?)";
+        sqlStatement($query, array($catid, $newid));
       } // end not error
 
       // If we are posting a note...
@@ -165,7 +163,7 @@ function mergeTiffs() {
         // See pnotes_full.php which uses this to auto-display the document.
         $note = "$ffname$ffmod$ffsuff";
         for ($tmp = $catid; $tmp;) {
-          $catrow = sqlQuery("SELECT name, parent FROM categories WHERE id = '$tmp'");
+          $catrow = sqlQuery("SELECT name, parent FROM categories WHERE id = ?", array($tmp));
           $note = $catrow['name'] . "/$note";
           $tmp = $catrow['parent'];
         }
@@ -203,24 +201,22 @@ function mergeTiffs() {
 // scanned notes must be installed, and does not natively exist.
         $query = "INSERT INTO form_scanned_notes ( " .
           "notes " .
-          ") VALUES ( " .
-          "'" . $_POST['form_copy_sn_comments'] . "' " .
-          ")";
-        $formid = sqlInsert($query);
+          ") VALUES (?)";
+        $formid = sqlInsert($query, array($_POST['form_copy_sn_comments']));
         addForm($encounter_id, "Scanned Notes", $formid, "scanned_notes",
           $patient_id, $userauthorized);
         //
         $imagedir = $GLOBALS['OE_SITE_DIR'] . "/documents/$patient_id/encounters";
         $imagepath = "$imagedir/${encounter_id}_$formid.jpg";
         if (! is_dir($imagedir)) {
-          $tmp0 = exec('mkdir -p "' . $imagedir . '"', $tmp1, $tmp2);
+          $tmp0 = exec('mkdir -p ' . escapeshellarg($imagedir), $tmp1, $tmp2);
           if ($tmp2) die("mkdir returned $tmp2: $tmp0");
-          exec("touch '$imagedir/index.html'");
+          exec("touch " . escapeshellarg($imagedir . "/index.html"));
         }
         if (is_file($imagepath)) unlink($imagepath);
         // TBD: There may be a faster way to create this file, given that
         // we already have a jpeg for each page in faxcache.
-        $cmd = "convert -resize 800 -density 96 '$tmp_name' -append '$imagepath'";
+        $cmd = "convert -resize 800 -density 96 " . escapeshellarg($tmp_name) . " -append " . escapeshellarg($imagepath);
         $tmp0 = exec($cmd, $tmp1, $tmp2);
         if ($tmp2) die("\"$cmd\" returned $tmp2: $tmp0");
       }
@@ -271,8 +267,8 @@ function mergeTiffs() {
     $cpstring = str_replace('{MESSAGE}'       , $form_message , $cpstring);
     fwrite($tmph, $cpstring);
     fclose($tmph);
-    $tmp0 = exec("cd $webserver_root/custom; " . $GLOBALS['hylafax_enscript'] .
-      " -o $tmpfn2 $tmpfn1", $tmp1, $tmp2);
+      $tmp0 = exec("cd " . escapeshellarg($webserver_root . '/custom') . "; " . escapeshellcmd($GLOBALS['hylafax_enscript']) .
+        " -o " . escapeshellarg($tmpfn2) . " " . escapeshellarg($tmpfn1), $tmp1, $tmp2);
     if ($tmp2) {
       $info_msg .= "enscript returned $tmp2: $tmp0 ";
     }
@@ -280,8 +276,8 @@ function mergeTiffs() {
 
     // Send the fax as the cover page followed by the selected pages.
     $info_msg .= mergeTiffs();
-    $tmp0 = exec("sendfax -A -n $form_finemode -d " .
-      escapeshellarg($form_fax) . " $tmpfn2 '$faxcache/temp.tif'",
+    $tmp0 = exec("sendfax -A -n " . escapeshellarg($form_finemode) . " -d " .
+      escapeshellarg($form_fax) . " " . escapeshellarg($tmpfn2) . " " . escapeshellarg($faxcache . '/temp.tif'),
       $tmp1, $tmp2);
     if ($tmp2) {
       $info_msg .= "sendfax returned $tmp2: $tmp0 ";
@@ -356,21 +352,21 @@ function mergeTiffs() {
 // This will contain a .tif image as well as a .jpg image for each page.
 //
 if (! is_dir($faxcache)) {
-  $tmp0 = exec('mkdir -p "' . $faxcache . '"', $tmp1, $tmp2);
+  $tmp0 = exec('mkdir -p ' . escapeshellarg($faxcache), $tmp1, $tmp2);
   if ($tmp2) die("mkdir returned $tmp2: $tmp0");
   if (strtolower($ext) != '.tif') {
     // convert's default density for PDF-to-TIFF conversion is 72 dpi which is
     // not very good, so we upgrade it to "fine mode" fax quality.  It's really
     // better and faster if the scanner produces TIFFs instead of PDFs.
-    $tmp0 = exec("convert -density 203x196 '$filepath' '$faxcache/deleteme.tif'", $tmp1, $tmp2);
+    $tmp0 = exec("convert -density 203x196 " . escapeshellarg($filepath) . " " . escapeshellarg($faxcache . '/deleteme.tif'), $tmp1, $tmp2);
     if ($tmp2) die("convert returned $tmp2: $tmp0");
-    $tmp0 = exec("cd '$faxcache'; tiffsplit 'deleteme.tif'; rm -f 'deleteme.tif'", $tmp1, $tmp2);
+    $tmp0 = exec("cd " . escapeshellarg($faxcache) . "; tiffsplit 'deleteme.tif'; rm -f 'deleteme.tif'", $tmp1, $tmp2);
     if ($tmp2) die("tiffsplit/rm returned $tmp2: $tmp0");
   } else {
-    $tmp0 = exec("cd '$faxcache'; tiffsplit '$filepath'", $tmp1, $tmp2);
+    $tmp0 = exec("cd " . escapeshellarg($faxcache) . "; tiffsplit " . escapeshellarg($filepath), $tmp1, $tmp2);
     if ($tmp2) die("tiffsplit returned $tmp2: $tmp0");
   }
-  $tmp0 = exec("cd '$faxcache'; mogrify -resize 750x970 -format jpg *.tif", $tmp1, $tmp2);
+  $tmp0 = exec("cd " . escapeshellarg($faxcache) . "; mogrify -resize 750x970 -format jpg *.tif", $tmp1, $tmp2);
   if ($tmp2) die("mogrify returned $tmp2: $tmp0; ext is '$ext'; filepath is '$filepath'");
 }
 
diff --git a/interface/fax/faxq.php b/interface/fax/faxq.php
index 31b2e2954..523211f4e 100644
--- a/interface/fax/faxq.php
+++ b/interface/fax/faxq.php
@@ -27,7 +27,7 @@
  if ($GLOBALS['enable_hylafax']) {
   // Get the recvq entries, parse and sort by filename.
   $statlines = array();
-  exec("faxstat -r -l -h " . $GLOBALS['hylafax_server'], $statlines);
+  exec("faxstat -r -l -h " . escapeshellarg($GLOBALS['hylafax_server']), $statlines);
   foreach ($statlines as $line) {
    // This gets pagecount, sender, time, filename.  We are expecting the
    // string to start with "-rw-rw-" so as to exclude faxes not yet fully
@@ -46,7 +46,7 @@
   154  124 F nobody 6153551807    0:1   4:12         No carrier detected
   */
   $donelines = array();
-  exec("faxstat -s -d -l -h " . $GLOBALS['hylafax_server'], $donelines);
+  exec("faxstat -s -d -l -h " . escapeshellarg($GLOBALS['hylafax_server']), $donelines);
   foreach ($donelines as $line) {
    // This gets jobid, priority, statchar, owner, phone, pages, dials and tts/status.
    if (preg_match('/^(\d+)\s+(\d+)\s+(\S)\s+(\S+)\s+(\S+)\s+(\d+:\d+)\s+(\d+:\d+)(.*)$/', $line, $matches)) {
diff --git a/interface/main/main_screen.php b/interface/main/main_screen.php
index e2639250d..c91262a29 100644
--- a/interface/main/main_screen.php
+++ b/interface/main/main_screen.php
@@ -24,6 +24,7 @@
 /* Include our required headers */
 require_once('../globals.php');
 require_once("$srcdir/formdata.inc.php");
+require_once("../../library/CsrfToken.php");
 
 // Creates a new session id when load this outer frame
 // (allows creations of separate LibreHealth EHR frames to view patients concurrently
@@ -41,6 +42,9 @@
   session_regenerate_id(false);
 }
 
+//generate csrf token
+$_SESSION['token'] = CsrfToken::generateCsrfToken();
+
 $_SESSION["encounter"] = '';
 
 // Fetch the password expiration date
diff --git a/interface/main/tabs/js/tabs_view_model.js b/interface/main/tabs/js/tabs_view_model.js
index 7bfcf58c9..fb87f9c82 100644
--- a/interface/main/tabs/js/tabs_view_model.js
+++ b/interface/main/tabs/js/tabs_view_model.js
@@ -249,7 +249,7 @@ function clearPatient()
     $.ajax({
         type: "POST",
         url: webroot_url+"/library/ajax/unset_session_ajax.php",
-	  data: { func: "unset_pid"},
+	  data: { func: "unset_pid", token: jsCsrfToken},
 	  success:function( msg ) {
 
     
diff --git a/interface/main/tabs/main.php b/interface/main/tabs/main.php
index 4806526b9..1226e160d 100644
--- a/interface/main/tabs/main.php
+++ b/interface/main/tabs/main.php
@@ -122,6 +122,8 @@ function isEncounterLocked( encounterId ) {
                                                                   .',' . json_encode($userQuery['fname'])
                                                                   .',' . json_encode($userQuery['lname'])
                                                                   .',' . json_encode($_SESSION['authGroup']); ?>));
+    // Set the csrf token used in js/tabs_view_model.js script
+    var jsCsrfToken = <?php echo $_SESSION['token'];?>;
 </script>
 
 <style type="text/css">
diff --git a/interface/patient_file/encounter/forms.php b/interface/patient_file/encounter/forms.php
index bf4ab50a4..aebd469ac 100644
--- a/interface/patient_file/encounter/forms.php
+++ b/interface/patient_file/encounter/forms.php
@@ -106,6 +106,7 @@
             { amc_id: "patient_edu_amc",
               complete: true,
               mode: mode,
+              token: "<?php echo $_SESSION['token'];?>",
               patient_id: <?php echo htmlspecialchars($pid,ENT_NOQUOTES); ?>,
               object_category: "form_encounter",
               object_id: <?php echo htmlspecialchars($encounter,ENT_NOQUOTES); ?>
@@ -125,6 +126,7 @@
             { amc_id: "provide_sum_pat_amc",
               complete: true,
               mode: mode,
+              token: "<?php echo $_SESSION['token'];?>",
               patient_id: <?php echo htmlspecialchars($pid,ENT_NOQUOTES); ?>,
               object_category: "form_encounter",
               object_id: <?php echo htmlspecialchars($encounter,ENT_NOQUOTES); ?>
@@ -149,6 +151,7 @@
             { amc_id: "med_reconc_amc",
               complete: false,
               mode: mode,
+              token: "<?php echo $_SESSION['token'];?>",
               patient_id: <?php echo htmlspecialchars($pid,ENT_NOQUOTES); ?>,
               object_category: "form_encounter",
               object_id: <?php echo htmlspecialchars($encounter,ENT_NOQUOTES); ?>
@@ -168,6 +171,7 @@
             { amc_id: "med_reconc_amc",
               complete: true,
               mode: mode,
+              token: "<?php echo $_SESSION['token'];?>",
               patient_id: <?php echo htmlspecialchars($pid,ENT_NOQUOTES); ?>,
               object_category: "form_encounter",
               object_id: <?php echo htmlspecialchars($encounter,ENT_NOQUOTES); ?>
diff --git a/interface/patient_file/letter.php b/interface/patient_file/letter.php
index f3c4cd232..f0404dc73 100644
--- a/interface/patient_file/letter.php
+++ b/interface/patient_file/letter.php
@@ -33,6 +33,7 @@
 include_once($GLOBALS['srcdir'] . "/patient.inc");
 require_once($GLOBALS['srcdir']."/formatting.inc.php");
 require_once("$srcdir/headers.inc.php");
+require_once("$srcdir/CsrfToken.php");
 $DateFormat = DateFormatRead();
 $DateLocale = getLocaleCodeForDisplayLanguage($GLOBALS['language_default']);
 
@@ -90,6 +91,14 @@
 
 $alertmsg = ''; // anything here pops up in an alert box
 
+if (!empty($_POST)) {
+    if (!isset($_POST['token'])) {
+        error_log('WARNING: A POST request detected with no csrf token found');
+        die('Authentication failed.');
+    } else if (!(  CsrfToken::verifyCsrfTokenAndCompareHash($_POST['token'], '/letter.php.theform'))) {
+        die('Authentication failed.');
+    }
+}
 // If the Generate button was clicked...
 if ($_POST['formaction']=="generate") {
 
@@ -430,6 +439,7 @@ function insertAtCursor(myField, myValue) {
 <form method='post' action='letter.php' id="theform" name="theform">
 <input type="hidden" name="formaction" id="formaction" value="">
 <input type='hidden' name='form_pid' value='<?php echo $pid ?>' />
+<input type='hidden' name='token' value="<?php echo hash_hmac('sha256', (string) '/letter.php.theform', (string) $_SESSION['token']);?>" />
 
 <center>
 <p>
diff --git a/interface/patient_file/reminder/clinical_reminders.php b/interface/patient_file/reminder/clinical_reminders.php
index e7d7b614c..9fd335281 100644
--- a/interface/patient_file/reminder/clinical_reminders.php
+++ b/interface/patient_file/reminder/clinical_reminders.php
@@ -242,7 +242,8 @@
         rule: this.name,
         type: 'passive_alert',
         setting: this.value,
-        patient_id: '<?php echo htmlspecialchars($patient_id, ENT_QUOTES); ?>'
+        patient_id: '<?php echo htmlspecialchars($patient_id, ENT_QUOTES); ?>',
+        token: "<?php echo $_SESSION['token'];?>" 
       });
     });
 
@@ -252,7 +253,8 @@
         rule: this.name,
         type: 'active_alert',
         setting: this.value,
-        patient_id: '<?php echo htmlspecialchars($patient_id, ENT_QUOTES); ?>'
+        patient_id: '<?php echo htmlspecialchars($patient_id, ENT_QUOTES); ?>',
+        token: "<?php echo $_SESSION['token'];?>" 
       });
     });
 
@@ -262,7 +264,8 @@
         plan: this.name,
         type: 'normal',
         setting: this.value,
-        patient_id: '<?php echo htmlspecialchars($patient_id, ENT_QUOTES); ?>'
+        patient_id: '<?php echo htmlspecialchars($patient_id, ENT_QUOTES); ?>',
+        token: "<?php echo $_SESSION['token'];?>" 
       });
     });
 
diff --git a/interface/patient_file/reminder/patient_reminders.php b/interface/patient_file/reminder/patient_reminders.php
index d57266fa2..dd0739723 100755
--- a/interface/patient_file/reminder/patient_reminders.php
+++ b/interface/patient_file/reminder/patient_reminders.php
@@ -346,7 +346,8 @@ function sel_patient() {
       rule: this.name,
       type: 'patient_reminder',
       setting: this.value,
-      patient_id: '<?php echo htmlspecialchars($patient_id, ENT_QUOTES); ?>'
+      patient_id: '<?php echo htmlspecialchars($patient_id, ENT_QUOTES); ?>',
+      token: "<?php echo $_SESSION['token'];?>" 
     });
   });
 
@@ -361,6 +362,7 @@ function ReminderBatch(processType) {
 
    top.restoreSession();
    $.get("../../../library/ajax/collect_new_report_id.php",
+     {token: "<?php echo $_SESSION['token'];?>"},
      function(data){
        // Set the report id in page form
        $("#form_new_report_id").attr("value",data);
@@ -372,7 +374,8 @@ function(data){
        top.restoreSession();
        $.post("../../../library/ajax/execute_pat_reminder.php",
          {process_type: processType,
-          execute_report_id: $("#form_new_report_id").val()
+          execute_report_id: $("#form_new_report_id").val(),
+          token: "<?php echo $_SESSION['token'];?>"
          });
    });
 
@@ -384,7 +387,7 @@ function collectStatus(report_id) {
    top.restoreSession();
    // Do not send the skip_timeout_reset parameter, so don't close window before report is done.
    $.post("../../../library/ajax/status_report.php",
-     {status_report_id: report_id},
+     {status_report_id: report_id, token: "<?php echo $_SESSION['token'];?>" },
      function(data){
        if (data == "PENDING") {
          // Place the pending string in the DOM
diff --git a/interface/patient_file/summary/demographics.php b/interface/patient_file/summary/demographics.php
index f9347d96b..30faa8cd2 100644
--- a/interface/patient_file/summary/demographics.php
+++ b/interface/patient_file/summary/demographics.php
@@ -261,11 +261,11 @@ function toggleIndicator(target,div) {
           if ( $mode == "<?php echo htmlspecialchars(xl('collapse'),ENT_QUOTES); ?>" ) {
               $(target).find(".indicator").text( "<?php echo htmlspecialchars(xl('expand'),ENT_QUOTES); ?>" );
               $("#"+div).hide();
-          $.post( "../../../library/ajax/user_settings.php", { target: div, mode: 0 });
+          $.post( "../../../library/ajax/user_settings.php", { target: div, mode: 0 , token: "<?php echo $_SESSION['token'];?>" });
           } else {
               $(target).find(".indicator").text( "<?php echo htmlspecialchars(xl('collapse'),ENT_QUOTES); ?>" );
               $("#"+div).show();
-          $.post( "../../../library/ajax/user_settings.php", { target: div, mode: 1 });
+          $.post( "../../../library/ajax/user_settings.php", { target: div, mode: 1 , token: "<?php echo $_SESSION['token'];?>"});
           }
       }
 
diff --git a/interface/patient_file/summary/stats_full.php b/interface/patient_file/summary/stats_full.php
index 57b7224ce..beacab5f4 100644
--- a/interface/patient_file/summary/stats_full.php
+++ b/interface/patient_file/summary/stats_full.php
@@ -333,7 +333,7 @@ function newEncounter() {
 
     $(".noneCheck").click(function() {
       top.restoreSession();
-      $.post( "../../../library/ajax/lists_touch.php", { type: this.name, patient_id: <?php echo htmlspecialchars($pid,ENT_QUOTES); ?> });
+      $.post( "../../../library/ajax/lists_touch.php", { type: this.name, patient_id: <?php echo htmlspecialchars($pid,ENT_QUOTES); ?>, token: "<?php echo $_SESSION['token'];?>" });
       $(this).hide();
     });
 });
diff --git a/interface/patient_file/transaction/record_request.php b/interface/patient_file/transaction/record_request.php
index c71ce2162..4feacdcbb 100644
--- a/interface/patient_file/transaction/record_request.php
+++ b/interface/patient_file/transaction/record_request.php
@@ -45,6 +45,7 @@
       { amc_id: "provide_rec_pat_amc",
         complete: false,
         mode: "add_force",
+        token: "<?php echo $_SESSION['token'];?>",
         patient_id: <?php echo htmlspecialchars($pid,ENT_NOQUOTES); ?>
       }
     );
diff --git a/interface/patient_tracker/patient_tracker.php b/interface/patient_tracker/patient_tracker.php
index 957e6df39..4947493ee 100755
--- a/interface/patient_tracker/patient_tracker.php
+++ b/interface/patient_tracker/patient_tracker.php
@@ -777,6 +777,7 @@ function validateForm() {
     }
       $.post( "../../library/ajax/drug_screen_completed.php", {
         trackerid: this.id,
+        token: "<?php echo $_SESSION['token'];?>",
         testcomplete: testcomplete_toggle
       });
     });
diff --git a/interface/reports/clinical_stats_by_demographics_report.php b/interface/reports/clinical_stats_by_demographics_report.php
index a8595f9fa..7aa320431 100644
--- a/interface/reports/clinical_stats_by_demographics_report.php
+++ b/interface/reports/clinical_stats_by_demographics_report.php
@@ -148,7 +148,8 @@ function show_all_diags(){
                 diag:"<?php  echo $_POST['form_diagnosis'];   ?>",
                 ethnicity:"<?php echo $_POST['ethnicity']; ?>",
                 age_from:"<?php echo $_POST['age_from']  ; ?>",
-                age_to:"<?php echo $_POST['age_to']  ; ?>"
+                age_to:"<?php echo $_POST['age_to']  ; ?>",
+                token: "<?php echo $_SESSION['token'];?>"
 
             }, complete: function(){
                 $('#image').hide();
diff --git a/interface/reports/lab_stats_by_demographics_report.php b/interface/reports/lab_stats_by_demographics_report.php
index 7edb13ec0..ec5e1c5fb 100644
--- a/interface/reports/lab_stats_by_demographics_report.php
+++ b/interface/reports/lab_stats_by_demographics_report.php
@@ -175,7 +175,8 @@ function lab_result_details() {
                         age_from:"<?php echo $_POST['age_from']  ; ?>",
                         age_to:"<?php echo $_POST['age_to']  ; ?>",
                         results_per_page: $('#rpp').val(),
-                        page_number: $('#nof').val()
+                        page_number: $('#nof').val(),
+                        token: "<?php echo $_SESSION['token'];?>"
 
                     }, complete: function(){
                         $('#image').hide();
diff --git a/interface/reports/username_report.php b/interface/reports/username_report.php
index 71bf5b494..7eb5cc091 100644
--- a/interface/reports/username_report.php
+++ b/interface/reports/username_report.php
@@ -91,7 +91,8 @@ function show_session_times(){
             data: {
                 func:"show_session_times",
                 to_date:   "<?php echo $to_date; ?>",
-                from_date:" <?php echo $from_date; ?> "
+                from_date:" <?php echo $from_date; ?> ",
+                token: "<?php echo $_SESSION['token'];?>",
             }, complete: function(){
                 $('#image').hide();
             }},
@@ -160,7 +161,8 @@ function show_session_sums()
             data: {
                 func:"show_session_sums",
                 to_date:   "<?php echo $to_date; ?>",
-                from_date:" <?php echo $from_date; ?> "
+                from_date:" <?php echo $from_date; ?> ",
+                token: "<?php echo $_SESSION['token'];?>",
             },
         complete: function(){
             $('#image').hide();
@@ -230,7 +232,8 @@ function show_session_details()
             data: {
                 func:"show_session_details",
                 to_date:   "<?php echo $to_date; ?>",
-                from_date:" <?php echo $from_date; ?> "
+                from_date:" <?php echo $from_date; ?> ",
+                token: "<?php echo $_SESSION['token'];?>",
             },
             complete: function(){
                 $('#image').hide();
@@ -298,6 +301,8 @@ function show_session_details()
     <input hidden id = 'show_session_sums_button' value = '<?php echo isset($_POST['show_session_sums']) ? $_POST['show_session_sums'] : null ?>'>
     <input hidden id = 'show_session_times_button' value = '<?php echo isset($_POST['show_session_times']) ? $_POST['show_session_times'] : null  ?>'>
     <input hidden id = 'show_session_details_button' value = '<?php echo isset($_POST['show_session_details']) ? $_POST['show_session_details']  : null  ?>'>
+    <input type='hidden' name='token' value="<?php echo $_SESSION['token'];?>" />
+
 
 </form>
 
diff --git a/interface/super/edit_globals.php b/interface/super/edit_globals.php
index 4f7b9ed37..4071d0098 100644
--- a/interface/super/edit_globals.php
+++ b/interface/super/edit_globals.php
@@ -36,6 +36,7 @@
 require_once("$srcdir/user.inc");
 require_once("$srcdir/classes/CouchDB.class.php");
 require_once("$srcdir/calendar.inc");
+require_once("$srcdir/CsrfToken.php");
 
 if ($_GET['mode'] != "user") {
   // Check authorization.
@@ -43,6 +44,14 @@
   if (!$thisauth) die(xlt('Not authorized'));
 }
 
+if (!empty($_POST)) {
+  if (!isset($_POST['token'])) {
+      CsrfToken::noTokenFoundError();
+  } else if (!(CsrfToken::verifyCsrfTokenAndCompareHash($_POST['token'], '/edit_globals.php.theform'))) {
+      CsrfToken::incorrectToken();
+  }
+}
+
 function checkCreateCDB(){
   $globalsres = sqlStatement("SELECT gl_name, gl_index, gl_value FROM globals WHERE gl_name IN
   ('couchdb_host','couchdb_user','couchdb_pass','couchdb_port','couchdb_dbase','document_storage_method')");
@@ -393,6 +402,8 @@ function checkBackgroundServices(){
   <form method='post' name='theform' id='theform' action='edit_globals.php' onsubmit='return top.restoreSession()'>
 <?php } ?>
 
+<input type='hidden' name='token' value="<?php echo hash_hmac('sha256', (string) '/edit_globals.php.theform', (string) $_SESSION['token']);?>" />
+
 <div style="display:none">
   <?php if ($_GET['mode'] == "user") { ?>
     <p><b><?php echo xlt('Edit User Settings'); ?></b>
diff --git a/interface/super/edit_layout.php b/interface/super/edit_layout.php
index 7fa21de45..8f1c6a90c 100644
--- a/interface/super/edit_layout.php
+++ b/interface/super/edit_layout.php
@@ -27,6 +27,7 @@
 require_once("$srcdir/log.inc");
 require_once("$srcdir/formdata.inc.php");
 require_once("$srcdir/headers.inc.php");
+require_once("../../library/CsrfToken.php");
 
 $layouts = array(
   'DEM' => xl('Demographics'),
@@ -137,6 +138,14 @@ function addOrDeleteColumn($layout_id, $field_id, $add=TRUE) {
 $thisauth = acl_check('admin', 'super');
 if (!$thisauth) die(xl('Not authorized'));
 
+if (!empty($_POST)) {
+  if (!isset($_POST['token'])) {
+      CsrfToken::noTokenFoundError();
+  } else if (!(CsrfToken::verifyCsrfTokenAndCompareHash($_POST['token'], '/edit_layout.php.theform'))) {
+      CsrfToken::incorrectToken();
+  }
+}
+
 // The layout ID identifies the layout to be edited.
 $layout_id = empty($_REQUEST['layout_id']) ? '' : $_REQUEST['layout_id'];
 
@@ -945,6 +954,7 @@ function setListItemOptions(lino, seq, init) {
   $.getScript('layout_listitems_ajax.php' +
     '?listid='  + encodeURIComponent(list_id) +
     '&target='  + encodeURIComponent(target)  +
+    '&token='   + <?php echo $_SESSION['token'];?>  +
     '&current=' + encodeURIComponent(current));
 }
 
@@ -975,6 +985,7 @@ function cidChanged(lino, seq) {
 <!-- elements used to select more than one field -->
 <input type="hidden" name="selectedfields" id="selectedfields" value="">
 <input type="hidden" id="targetgroup" name="targetgroup" value="">
+<input type='hidden' name='token' value="<?php echo hash_hmac('sha256', (string) '/edit_layout.php.theform', (string) $_SESSION['token']);?>" />
 
 <p><b><?php xl('Edit layout','e'); ?>:</b>&nbsp;
 <select name='layout_id' id='layout_id'>
@@ -1553,13 +1564,13 @@ function getNextSeq(group) {
 
     // show the popup choice of lists
     var ShowLists = function(btnObj) {
-        window.open("./show_lists_popup.php", "lists", "width=300,height=500,scrollbars=yes");
+        window.open("./show_lists_popup.php?token=<?php echo $_SESSION['token'];?>", "lists", "width=300,height=500,scrollbars=yes");
         selectedfield = btnObj;
     };
     
     // show the popup choice of groups
     var ShowGroups = function(btnObj) {
-        window.open("./show_groups_popup.php?layout_id=<?php echo $layout_id;?>", "groups", "width=300,height=300,scrollbars=yes");
+        window.open("./show_groups_popup.php?layout_id=<?php echo $layout_id;?>&token=<?php echo $_SESSION['token'];?>", "groups", "width=300,height=300,scrollbars=yes");
     };
     
 
@@ -1604,7 +1615,7 @@ function FieldIDClicked(elem) {
   // If the field ID is for the local form, allow direct entry.
   if (srcval == 'F') return;
   // Otherwise pop up the selection window.
-  window.open('./field_id_popup.php?source=' + srcval, 'fields',
+  window.open('./field_id_popup.php?source=' + srcval + '&token=' + <?php echo $_SESSION['token'];?>, 'fields',
     'width=600,height=600,scrollbars=yes');
 <?php } ?>
 }
diff --git a/interface/super/edit_list.php b/interface/super/edit_list.php
index 716056fdc..c0fbb05d9 100644
--- a/interface/super/edit_list.php
+++ b/interface/super/edit_list.php
@@ -31,6 +31,7 @@
 require_once("$srcdir/lists.inc");
 require_once("../../custom/code_types.inc.php");
 require_once("$srcdir/options.inc.php");
+require_once("../../library/CsrfToken.php");
 
 $list_id = empty($_REQUEST['list_id']) ? ' ' : $_REQUEST['list_id'];
 
@@ -38,6 +39,14 @@
 $thisauth = acl_check('admin', 'super');
 if (!$thisauth) die(xl('Not authorized'));
 
+if (!empty($_POST)) {
+  if (!isset($_POST['token'])) {
+      CsrfToken::noTokenFoundError();
+  } else if (!(CsrfToken::verifyCsrfTokenAndCompareHash($_POST['token'], '/edit_list.php.theform'))) {
+      CsrfToken::incorrectToken();
+  }
+}
+
 // If we are saving, then save.
 //
 if ($_POST['formaction']=='save' && $list_id) {
@@ -819,6 +828,7 @@ function mysubmit() {
 
 <form method='post' name='theform' id='theform' action='edit_list.php'>
 <input type="hidden" name="formaction" id="formaction">
+<input type='hidden' name='token' value="<?php echo hash_hmac('sha256', (string) '/edit_list.php.theform', (string) $_SESSION['token']);?>" />
 
 <p><b><?php xl('Edit list','e'); ?>:</b>&nbsp;
 <select name='list_id' id="list_id" placeholder="Select a list..">
diff --git a/interface/super/field_id_popup.php b/interface/super/field_id_popup.php
index 550bafc85..04806c092 100644
--- a/interface/super/field_id_popup.php
+++ b/interface/super/field_id_popup.php
@@ -24,6 +24,7 @@
 $fake_register_globals = false;
 
 include_once("../globals.php");
+require_once("$srcdir/CsrfToken.php");
 
 $form_encounter_layout = array(
   array('field_id'     => 'date',
@@ -90,7 +91,14 @@
         'edit_options' => '',
        ),
 );
-
+//verify csrf token
+if (!empty($_GET)) {
+  if (!isset($_GET['token'])) {
+      CsrfToken::noTokenFoundError();
+  } else if (!(CsrfToken::verifyCsrfToken($_GET['token']))) {
+      CsrfToken::incorrectToken();
+  }
+}
 $source = empty($_REQUEST['source']) ? 'D' : $_REQUEST['source'];
 
 function gsr_fixup(&$row, $fldid, $default='') {
diff --git a/interface/super/layout_listitems_ajax.php b/interface/super/layout_listitems_ajax.php
index b6e551510..fb63059ee 100644
--- a/interface/super/layout_listitems_ajax.php
+++ b/interface/super/layout_listitems_ajax.php
@@ -25,8 +25,17 @@
 $sanitize_all_escapes  = true;
 
 require_once("../globals.php");
+require_once("$srcdir/CsrfToken.php");
 require_once("$srcdir/formdata.inc.php");
 
+//verify csrf token
+if (!empty($_GET)) {
+  if (!isset($_GET['token'])) {
+      CsrfToken::noTokenFoundError();
+  } else if (!(CsrfToken::verifyCsrfToken($_GET['token']))) {
+      CsrfToken::incorrectToken();
+  }
+}
 $listid  = $_GET['listid'];
 $target  = $_GET['target'];
 $current = $_GET['current'];
diff --git a/interface/super/load_codes.php b/interface/super/load_codes.php
index 0b71336df..8240a8816 100644
--- a/interface/super/load_codes.php
+++ b/interface/super/load_codes.php
@@ -32,9 +32,18 @@
 require_once($GLOBALS['srcdir'] . '/formdata.inc.php');
 require_once($GLOBALS['fileroot'] . '/custom/code_types.inc.php');
 require_once("$srcdir/headers.inc.php");
+require_once("../../library/CsrfToken.php");
 
 if (!acl_check('admin', 'super')) die(xlt('Not authorized'));
 
+if (!empty($_POST)) {
+  if (!isset($_POST['token'])) {
+      CsrfToken::noTokenFoundError();
+  } else if (!(CsrfToken::verifyCsrfTokenAndCompareHash($_POST['token'], '/load_codes.php.theform'))) {
+      CsrfToken::incorrectToken();
+  }
+}
+
 $form_replace = !empty($_POST['form_replace']);
 $code_type = empty($_POST['form_code_type']) ? '' : $_POST['form_code_type'];
 ?>
@@ -130,7 +139,8 @@
 
 ?>
 <form method='post' action='load_codes.php' enctype='multipart/form-data'
- onsubmit='return top.restoreSession()'>
+ id="theform" name="theform" onsubmit='return top.restoreSession()'>
+<input type='hidden' name='token' value="<?php echo hash_hmac('sha256', (string) '/load_codes.php.theform', (string) $_SESSION['token']);?>" />
 
 <center>
 
diff --git a/interface/super/manage_document_templates.php b/interface/super/manage_document_templates.php
index 0799e8bfc..aa2c67743 100644
--- a/interface/super/manage_document_templates.php
+++ b/interface/super/manage_document_templates.php
@@ -29,8 +29,18 @@
 require_once($GLOBALS['srcdir'].'/htmlspecialchars.inc.php');
 require_once($GLOBALS['srcdir'].'/formdata.inc.php');
 require_once("$srcdir/headers.inc.php");
+require_once("../../library/CsrfToken.php");
+
 if (!acl_check('admin', 'super')) die(htmlspecialchars(xl('Not authorized')));
 
+if (!empty($_POST)) {
+  if (!isset($_POST['token'])) {
+      CsrfToken::noTokenFoundError();
+  } else if (!(CsrfToken::verifyCsrfTokenAndCompareHash($_POST['token'], '/manage_document_templates.php.theform'))) {
+      CsrfToken::incorrectToken();
+  }
+}
+
 $form_filename = strip_escape_custom($_REQUEST['form_filename']);
 
 $templatedir = "$OE_SITE_DIR/documents/doctemplates";
@@ -104,7 +114,8 @@
 
 <body class="body_top">
 <form method='post' action='manage_document_templates.php' enctype='multipart/form-data'
- onsubmit='return top.restoreSession()'>
+ id="theform" name="theform" onsubmit='return top.restoreSession()'>
+ <input type='hidden' name='token' value="<?php echo hash_hmac('sha256', (string) '/manage_document_templates.php.theform', (string) $_SESSION['token']);?>" />
 
 <center>
 
diff --git a/interface/super/manage_site_files.php b/interface/super/manage_site_files.php
index 4e9b92db7..f5ffbd01b 100644
--- a/interface/super/manage_site_files.php
+++ b/interface/super/manage_site_files.php
@@ -19,9 +19,18 @@
 /* for formData() */
 require_once($GLOBALS['srcdir'].'/formdata.inc.php');
 require_once("$srcdir/headers.inc.php");
+require_once("../../library/CsrfToken.php");
 
 if (!acl_check('admin', 'super')) die(htmlspecialchars(xl('Not authorized')));
 
+if (!empty($_POST)) {
+  if (!isset($_POST['token'])) {
+      CsrfToken::noTokenFoundError();
+  } else if (!(CsrfToken::verifyCsrfTokenAndCompareHash($_POST['token'], '/manage_site_files.php.theform'))) {
+      CsrfToken::incorrectToken();
+  }
+}
+
 // Prepare array of names of editable files, relative to the site directory.
 $my_files = array(
   'config.php',
@@ -143,7 +152,8 @@ function msfFileChanged() {
 
 <body class="body_top">
 <form method='post' action='manage_site_files.php' enctype='multipart/form-data'
- onsubmit='return top.restoreSession()'>
+ id="theform" name="theform" onsubmit='return top.restoreSession()'>
+<input type='hidden' name='token' value="<?php echo hash_hmac('sha256', (string) '/manage_site_files.php.theform', (string) $_SESSION['token']);?>" />
 
 <center>
 
diff --git a/interface/super/show_groups_popup.php b/interface/super/show_groups_popup.php
index ba7b4a809..2d4ed6945 100644
--- a/interface/super/show_groups_popup.php
+++ b/interface/super/show_groups_popup.php
@@ -4,7 +4,16 @@
   */
 
 include_once("../globals.php");
-
+require_once("$srcdir/CsrfToken.php");
+
+//verify csrf token
+if (!empty($_GET)) {
+    if (!isset($_GET['token'])) {
+        CsrfToken::noTokenFoundError();
+    } else if (!(CsrfToken::verifyCsrfToken($_GET['token']))) {
+        die('Authentication failed.');
+    }
+  }
 ?>
 
 <html>
diff --git a/interface/super/show_lists_popup.php b/interface/super/show_lists_popup.php
index 23b77a37b..fd9ee02a4 100644
--- a/interface/super/show_lists_popup.php
+++ b/interface/super/show_lists_popup.php
@@ -4,6 +4,16 @@
   */
 
 include_once("../globals.php");
+require_once("$srcdir/CsrfToken.php");
+
+//verify csrf token
+if (!empty($_GET)) {
+    if (!isset($_GET['token'])) {
+        CsrfToken::noTokenFoundError();
+    } else if (!(CsrfToken::verifyCsrfToken($_GET['token']))) {
+        die('Authentication failed.');
+    }
+  }
 
 ?>
 
diff --git a/interface/usergroup/adminacl.php b/interface/usergroup/adminacl.php
index bb6244f93..6d42cdb45 100644
--- a/interface/usergroup/adminacl.php
+++ b/interface/usergroup/adminacl.php
@@ -89,6 +89,7 @@
     data: {
      control: "acl",
      action: "add",
+     token: "<?php echo $_SESSION['token'];?>",
      title: title,
      identifier: identifier,    
      return_value: return_value,
@@ -160,6 +161,7 @@
     data: {
      control: "acl",
      action: "remove",
+     token: "<?php echo $_SESSION['token'];?>",
      title: title,
      return_value: return_value
     },
@@ -208,6 +210,7 @@ function membership_show() {
     dataType: "xml",
     data: {
      control: "username",
+     token: "<?php echo $_SESSION['token'];?>",
      action: "list"
     },
     success: function(xml){
@@ -257,6 +260,7 @@ function acl_show() {
     dataType: "xml",
     data: {
      control: "acl",
+     token: "<?php echo $_SESSION['token'];?>",
      action: "list"
     },
     success: function(xml){     
@@ -371,6 +375,7 @@ function generic_click(cthis) {
     data: {
      name: identityFormatted,
      control: control,
+     token: "<?php echo $_SESSION['token'];?>",
      action: action,
      'selection[]': selected,
      return_value: return_value
diff --git a/library/CsrfToken.php b/library/CsrfToken.php
new file mode 100644
index 000000000..4293597b5
--- /dev/null
+++ b/library/CsrfToken.php
@@ -0,0 +1,56 @@
+<?php
+
+class CsrfToken {
+
+    // Generate csrf token for authentication
+    function generateCsrfToken()
+    {
+        if (!extension_loaded('openssl')) {
+        error_log("ERROR: openssl extension not enabled, needed for proper functioning of LibreHealth");
+            die("Error: Systems needs openssl.");
+        }
+
+        $csrfToken = bin2hex(openssl_random_pseudo_bytes(32));
+
+        if (empty($csrfToken)) {
+            error_log("ERROR : Token generation failed");
+            die("Error : Unable to correctly generate token");
+        }
+
+        return $csrfToken;
+    }
+
+    // Function to verify a csrf token
+    function verifyCsrfToken($token)
+    {
+        if (hash_equals($_SESSION['token'], $token)) {
+            return true;
+        } else {
+            error_log("WARNING : Malicious attempt encountered");
+            return false;
+        }
+    }
+
+    //log error and kill the page
+    function noTokenFoundError() {
+        error_log('WARNING: A POST request detected with no csrf token found');
+        header('HTTP/1.1 401 Unauthorized');
+        die('Authentication failed.');
+    }
+    function incorrectToken() {
+        header('HTTP/1.1 401 Unauthorized');
+        die('Authentication failed.');
+    }
+    // Function to verify a csrf token using with second token
+    function verifyCsrfTokenAndCompareHash($token, $secondToken)
+    {
+        if (hash_equals(hash_hmac('sha256', (string) $secondToken, (string) $_SESSION['token']), $token)) {
+            return true;
+        } else {
+            error_log("WARNING : Malicious attempt encountered");
+            return false;
+        }
+    }
+}
+
+?>
\ No newline at end of file
diff --git a/library/ajax/addlistitem.php b/library/ajax/addlistitem.php
index 4a47afbc0..743dfe5a7 100644
--- a/library/ajax/addlistitem.php
+++ b/library/ajax/addlistitem.php
@@ -16,6 +16,18 @@
 
 include_once("../../interface/globals.php");
 include_once("{$GLOBALS['srcdir']}/sql.inc");
+include_once("{$GLOBALS['srcdir']}/sql.inc");
+require_once("{$GLOBALS['srcdir']}/CsrfToken.php");
+
+//verify csrf token
+if (!empty($_GET)) {
+    if (!isset($_GET['token'])) {
+        error_log('WARNING: A POST request detected with no csrf token found');
+        die('Authentication failed.');
+    } else if (!(CsrfToken::verifyCsrfToken($_GET['token']))) {
+        die('Authentication failed.');
+    }
+  }
 
 // check for required values
 if ($_GET['listid'] == "" || trim($_GET['newitem']) == "" || trim($_GET['newitem_abbr']) == "") exit;
diff --git a/library/ajax/adminacl_ajax.php b/library/ajax/adminacl_ajax.php
index d3447de71..2b53f6ba0 100644
--- a/library/ajax/adminacl_ajax.php
+++ b/library/ajax/adminacl_ajax.php
@@ -17,7 +17,7 @@
 include_once("$srcdir/acl.inc");
 include_once("$srcdir/user.inc");
 include_once("$srcdir/calendar.inc");
-
+require_once("$srcdir/CsrfToken.php");
 header("Content-type: text/xml");
 header("Cache-Control: no-cache");
 
@@ -35,7 +35,13 @@
 echo error_xml(xl('PHP-gacl is not installed'));
 exit;
 }
-
+if (!empty($_POST)) {
+  if (!isset($_POST['token'])) {
+    CsrfToken::noTokenFoundError();
+  } else if (!(CsrfToken::verifyCsrfToken($_POST['token']))) {
+      CsrfToken::incorrectToken();
+  }
+}
 //Display red alert if Emergency Login ACL is activated for a user.
 if($_POST["action"] == "add"){
   if (in_array("Emergency Login",$_POST["selection"])) {
diff --git a/library/ajax/amc_misc_data.php b/library/ajax/amc_misc_data.php
index c7da710fe..5debfdb30 100644
--- a/library/ajax/amc_misc_data.php
+++ b/library/ajax/amc_misc_data.php
@@ -20,6 +20,7 @@
 
 require_once(dirname(__FILE__) . "/../../interface/globals.php");
 require_once(dirname(__FILE__) . "/../amc.php");
+require_once(dirname(__FILE__) . "/../CsrfToken.php");
 
 //  If all items are valid(ie. not empty) (note object_category and object_id and date_created can be empty), then proceed.
 if ( !(empty($_POST['amc_id'])) && 
@@ -27,6 +28,12 @@
      !(empty($_POST['mode'])) &&
      !(empty($_POST['patient_id'])) ) {
 
+    if (!isset($_POST['token'])) {
+      CsrfToken::noTokenFoundError();
+    } else if (!(CsrfToken::verifyCsrfToken($_POST['token']))) {
+      CsrfToken::incorrectToken();
+    }
+
   processAmcCall($_POST['amc_id'], $_POST['complete'], $_POST['mode'], $_POST['patient_id'], $_POST['object_category'], $_POST['object_id'], $_POST['date_created']);
 
 }
diff --git a/library/ajax/ccr_import_ajax.php b/library/ajax/ccr_import_ajax.php
index 194fc1dea..188bd3e3d 100644
--- a/library/ajax/ccr_import_ajax.php
+++ b/library/ajax/ccr_import_ajax.php
@@ -35,8 +35,14 @@
 require_once(dirname(__FILE__) . "/../parse_patient_xml.php");
 require_once(dirname(__FILE__) . "/../classes/Document.class.php");
 require_once(dirname(__FILE__) . "/../classes/CouchDB.class.php");
+require_once("$srcdir/CsrfToken.php");
 
 if($_REQUEST["ccr_ajax"] == "yes"){
+  if (!isset($_POST['token'])) {
+    CsrfToken::noTokenFoundError();
+  } else if (!(CsrfToken::verifyCsrfToken($_POST['token']))) {
+    die('Authentication failed.');
+  }
   $doc_id = $_REQUEST["document_id"];
   $d = new Document($doc_id);
   $url =  $d->get_url();
diff --git a/library/ajax/clinical_stats_and_lab_stats_by_demographics_report_ajax.php b/library/ajax/clinical_stats_and_lab_stats_by_demographics_report_ajax.php
index 5088b9c76..588960f53 100644
--- a/library/ajax/clinical_stats_and_lab_stats_by_demographics_report_ajax.php
+++ b/library/ajax/clinical_stats_and_lab_stats_by_demographics_report_ajax.php
@@ -27,7 +27,7 @@
 require_once("$srcdir/formatting.inc.php");
 require_once("$srcdir/acl.inc");
 require_once("$srcdir/patient.inc");
-
+require_once("$srcdir/CsrfToken.php");
 
 
 //Enter false if searching for users that aren't active
@@ -52,7 +52,13 @@ function ifTestingTrue($testing){
     else return "";
 
 }
-
+if (!empty($_POST)) {
+    if (!isset($_POST['token'])) {
+        CsrfToken::noTokenFoundError();
+    } else if (!(CsrfToken::verifyCsrfToken($_POST['token']))) {
+        die('Authentication failed.');
+    }
+}
 
 if($_POST['func']=="get_all_diags_data")
 {
diff --git a/library/ajax/collect_new_report_id.php b/library/ajax/collect_new_report_id.php
index c210ff042..aa0d34b6b 100644
--- a/library/ajax/collect_new_report_id.php
+++ b/library/ajax/collect_new_report_id.php
@@ -30,7 +30,16 @@
 
 require_once(dirname(__FILE__) . "/../../interface/globals.php");
 require_once(dirname(__FILE__) . "/../report_database.inc");
+require_once("$srcdir/CsrfToken.php");
 
+//verify csrf token
+if (!empty($_GET)) {
+    if (!isset($_GET['token'])) {
+        CsrfToken::noTokenFoundError();
+    } else if (!(CsrfToken::verifyCsrfToken($_GET['token']))) {
+        die('Authentication failed.');
+    }
+  }
 //  Collect/bookmark a new report id in report_results sql table and send it back.
 echo bookmarkReportDatabase();
 ?>
diff --git a/library/ajax/dated_reminders_counter.php b/library/ajax/dated_reminders_counter.php
index e9fa8c4c2..f9c4b5d25 100644
--- a/library/ajax/dated_reminders_counter.php
+++ b/library/ajax/dated_reminders_counter.php
@@ -32,6 +32,16 @@
 require_once("$srcdir/htmlspecialchars.inc.php");  
 require_once("$srcdir/dated_reminder_functions.php"); 
 require_once("$srcdir/pnotes.inc");
+require_once("$srcdir/CsrfToken.php");
+
+//verify csrf token
+if (!empty($_POST)) {
+    if (!isset($_POST['token'])) {
+        CsrfToken::noTokenFoundError();
+    } else if (!(CsrfToken::verifyCsrfToken($_POST['token']))) {
+        die('Authentication failed.');
+    }
+  }
 
 //Collect number of due reminders
 $dueReminders = GetDueReminderCount(5,strtotime(date('Y/m/d')));
diff --git a/library/ajax/drug_screen_completed.php b/library/ajax/drug_screen_completed.php
index 7d0661cd0..be1667fc1 100644
--- a/library/ajax/drug_screen_completed.php
+++ b/library/ajax/drug_screen_completed.php
@@ -22,7 +22,16 @@
 $fake_register_globals = false;
 
 require_once("../../interface/globals.php");
+require_once("$srcdir/CsrfToken.php");
 
+//verify csrf token
+if (!empty($_POST)) {
+    if (!isset($_POST['token'])) {
+        CsrfToken::noTokenFoundError();
+    } else if (!(CsrfToken::verifyCsrfToken($_POST['token']))) {
+        die('Authentication failed.');
+    }
+}
 $drugval = '0';
 if ($_POST['testcomplete'] =='true') {
 	$drugval = '1';
diff --git a/library/ajax/execute_background_services.php b/library/ajax/execute_background_services.php
index da44f89e2..082d09638 100644
--- a/library/ajax/execute_background_services.php
+++ b/library/ajax/execute_background_services.php
@@ -68,11 +68,24 @@
    $_GET['site'] = (isset($argv[1])) ? $argv[1] : 'default';
    if (isset($argv[2]) && $argv[2]!='all') $_GET['background_service'] = $argv[2];
    if (isset($argv[3]) && $argv[3]=='1') $_GET['background_force'] = 1;
-}
 
+   
+//an additional require file can be specified for each service in the background_services table
+require_once(dirname(__FILE__) . "/../../interface/globals.php");
+require_once(dirname(__FILE__) . "/../sql.inc");
+
+} else {
 //an additional require file can be specified for each service in the background_services table
 require_once(dirname(__FILE__) . "/../../interface/globals.php");
 require_once(dirname(__FILE__) . "/../sql.inc");
+require_once("$srcdir/CsrfToken.php");
+
+  if (!isset($_POST['token'])) {
+    CsrfToken::noTokenFoundError();
+  } else if (!(CsrfToken::verifyCsrfToken($_POST['token']))) {
+      CsrfToken::incorrectToken();
+  }
+}
 
 //Remove time limit so script doesn't time out
 set_time_limit(0);
diff --git a/library/ajax/execute_cdr_report.php b/library/ajax/execute_cdr_report.php
index defc0e1ee..1551a19d0 100644
--- a/library/ajax/execute_cdr_report.php
+++ b/library/ajax/execute_cdr_report.php
@@ -30,6 +30,7 @@
 
 require_once(dirname(__FILE__) . "/../../interface/globals.php");
 require_once(dirname(__FILE__) . "/../clinical_rules.php");
+require_once("$srcdir/CsrfToken.php");
 
 //To improve performance and not freeze the session when running this
 // report, turn off session writing. Note that php session variables
@@ -50,7 +51,11 @@
 
 //  Start a report, which will be stored in the report_results sql table..
 if (!empty($_POST['execute_report_id'])) {
-
+  if (!isset($_POST['token'])) {
+    CsrfToken::noTokenFoundError();
+  } else if (!(CsrfToken::verifyCsrfToken($_POST['token']))) {
+      die('Authentication failed.');
+  }
   $target_date = (!empty($_POST['date_target'])) ? $_POST['date_target'] : date('Y-m-d H:i:s');
   $rule_filter = (!empty($_POST['type'])) ? $_POST['type'] : "";
   $plan_filter = (!empty($_POST['plan'])) ? $_POST['plan'] : "";
diff --git a/library/ajax/execute_clinical_measures_report.php b/library/ajax/execute_clinical_measures_report.php
index 80a9a2c7b..51dcdfa60 100644
--- a/library/ajax/execute_clinical_measures_report.php
+++ b/library/ajax/execute_clinical_measures_report.php
@@ -32,7 +32,15 @@
 
 require_once '../../interface/globals.php';
 require_once $srcdir.'/clinical_rules.php';
+require_once("$srcdir/CsrfToken.php");
 
+if (!empty($_POST)) {
+  if (!isset($_POST['token'])) {
+    CsrfToken::noTokenFoundError();
+  } else if (!(CsrfToken::verifyCsrfToken($_POST['token']))) {
+      die('Authentication failed.');
+  }
+}
 // To improve performance and not freeze the session when running this
 // report, turn off session writing. Note that php session variables
 // can not be modified after the line below. So, if need to do any php
diff --git a/library/ajax/execute_pat_reminder.php b/library/ajax/execute_pat_reminder.php
index 880b05f65..e1e192cc8 100644
--- a/library/ajax/execute_pat_reminder.php
+++ b/library/ajax/execute_pat_reminder.php
@@ -30,7 +30,15 @@
 
 require_once(dirname(__FILE__) . "/../../interface/globals.php");
 require_once(dirname(__FILE__) . "/../reminders.php");
+require_once("$srcdir/CsrfToken.php");
 
+if (!empty($_POST)) {
+  if (!isset($_POST['token'])) {
+    CsrfToken::noTokenFoundError();
+  } else if (!(CsrfToken::verifyCsrfToken($_POST['token']))) {
+      die('Authentication failed.');
+  }
+}
 //To improve performance and not freeze the session when running this
 // report, turn off session writing. Note that php session variables
 // can not be modified after the line below. So, if need to do any php
diff --git a/library/ajax/facility_ajax_code.php b/library/ajax/facility_ajax_code.php
index f83170e63..d91240165 100644
--- a/library/ajax/facility_ajax_code.php
+++ b/library/ajax/facility_ajax_code.php
@@ -42,7 +42,15 @@
 require_once("$srcdir/sql.inc");
 require_once("$srcdir/formatting.inc.php");
 require_once("$srcdir/options.inc.php");
+require_once("$srcdir/CsrfToken.php");
 
+if (!empty($_REQUEST)) {
+  if (!isset($_REQUEST['token'])) {
+      CsrfToken::noTokenFoundError();
+    } else if (!(CsrfToken::verifyCsrfToken($_REQUEST['token']))) {
+        die('Authentication failed.');
+    }
+}
 $pid=$_REQUEST['pid'];
 $facility=$_REQUEST['facility'];
 $date=$_REQUEST['date'];
diff --git a/library/ajax/facility_ajax_jav.inc.php b/library/ajax/facility_ajax_jav.inc.php
index 6beebf2a4..adae99ef1 100644
--- a/library/ajax/facility_ajax_jav.inc.php
+++ b/library/ajax/facility_ajax_jav.inc.php
@@ -38,7 +38,8 @@ function ajax_bill_loc(pid,date,facility){
 data: {
 pid: pid,
 date: date,
-facility: facility
+facility: facility,
+token: <?php echo $_SESSION['token'];?>
 },
 success: function(thedata){//alert(thedata)
 $("#ajaxdiv").html(thedata);
diff --git a/library/ajax/find_patients.php b/library/ajax/find_patients.php
index 3e0c47dbf..fb139639f 100644
--- a/library/ajax/find_patients.php
+++ b/library/ajax/find_patients.php
@@ -17,7 +17,15 @@
 require_once("../../interface/globals.php");
 require_once("{$GLOBALS['srcdir']}/sql.inc");
 require_once("{$GLOBALS['srcdir']}/formdata.inc.php");
+require_once("$srcdir/CsrfToken.php");
 
+if (!empty($_REQUEST)) {
+  if (!isset($_REQUEST['token'])) {
+    CsrfToken::noTokenFoundError();
+  } else if (!(CsrfToken::verifyCsrfToken($_REQUEST['token']))) {
+      die('Authentication failed.');
+  }
+}
 function myGetValue($fldname) {
   $val = formData($fldname, 'G', true);
   if ($val == 'undefined') $val = '';
diff --git a/library/ajax/get_fullscreen_pages.php b/library/ajax/get_fullscreen_pages.php
index 901979664..8d29587a4 100644
--- a/library/ajax/get_fullscreen_pages.php
+++ b/library/ajax/get_fullscreen_pages.php
@@ -33,6 +33,15 @@
 //
 require_once("../../interface/globals.php");
 require_once("$srcdir/sql.inc");
+require_once("$srcdir/CsrfToken.php");
+
+if (!empty($_POST)) {
+  if (!isset($_POST['token'])) {
+    CsrfToken::noTokenFoundError();
+  } else if (!(CsrfToken::verifyCsrfToken($_POST['token']))) {
+      die('Authentication failed.');
+  }
+}
 
 $fQuery = sqlStatement("select entry_id from menu_trees where menu_set= ?", array($_POST['role_name']));
 
diff --git a/library/ajax/left_nav_encounter_ajax.php b/library/ajax/left_nav_encounter_ajax.php
index f74e0d160..9b28c6982 100644
--- a/library/ajax/left_nav_encounter_ajax.php
+++ b/library/ajax/left_nav_encounter_ajax.php
@@ -20,7 +20,15 @@
 require_once("$srcdir/patient.inc");
 require_once("$srcdir/formatting.inc.php");
 require_once("$srcdir/encounter_events.inc.php");
+require_once("$srcdir/CsrfToken.php");
 
+if (!empty($_REQUEST)) {
+  if (!isset($_REQUEST['token'])) {
+      CsrfToken::noTokenFoundError();
+    } else if (!(CsrfToken::verifyCsrfToken($_REQUEST['token']))) {
+        die('Authentication failed.');
+    }
+}
 $issue = $_GET['issue'];
 $createvisit = !empty($_GET['createvisit']);
 $today = date('Y-m-d');
diff --git a/library/ajax/left_nav_issues_ajax.php b/library/ajax/left_nav_issues_ajax.php
index ed27d9515..3a8bfa57b 100644
--- a/library/ajax/left_nav_issues_ajax.php
+++ b/library/ajax/left_nav_issues_ajax.php
@@ -10,7 +10,15 @@
 $fake_register_globals = false;
 
 require_once("../../interface/globals.php");
+require_once("$srcdir/CsrfToken.php");
 
+if (!empty($_GET)) {
+  if (!isset($_GET['token'])) {
+    CsrfToken::noTokenFoundError();
+  } else if (!(CsrfToken::verifyCsrfToken($_GET['token']))) {
+      die('Authentication failed.');
+  }
+}
 $type = $_GET['type'];
 
 echo "// pid = $pid, type = $type\n";
diff --git a/library/ajax/lists_touch.php b/library/ajax/lists_touch.php
index f0c13f4a4..39c4d76c0 100644
--- a/library/ajax/lists_touch.php
+++ b/library/ajax/lists_touch.php
@@ -21,7 +21,15 @@
 
 require_once(dirname(__FILE__) . "/../../interface/globals.php");
 require_once(dirname(__FILE__) . "/../lists.inc");
+require_once("$srcdir/CsrfToken.php");
 
+if (!empty($_POST)) {
+  if (!isset($_POST['token'])) {
+      CsrfToken::noTokenFoundError();
+    } else if (!(CsrfToken::verifyCsrfToken($_POST['token']))) {
+        die('Authentication failed.');
+    }
+}
 //  IF there is a pid and type then will set the entry in lists_touch table
 if ( !(empty($_POST['patient_id'])) && !(empty($_POST['type'])) ) {
 
diff --git a/library/ajax/log_print_action_ajax.php b/library/ajax/log_print_action_ajax.php
index c86da6f9b..8148ff256 100644
--- a/library/ajax/log_print_action_ajax.php
+++ b/library/ajax/log_print_action_ajax.php
@@ -26,7 +26,15 @@
 require_once("../../interface/globals.php");
 require_once("$srcdir/log.inc");
 require_once("$srcdir/classes/html2text.class.php");
+require_once("$srcdir/CsrfToken.php");
 
+if (!empty($_POST)) {
+    if (!isset($_POST['token'])) {
+    CsrfToken::noTokenFoundError();
+    } else if (!(CsrfToken::verifyCsrfToken($_POST['token']))) {
+        die('Authentication failed.');
+    }
+}
 $h2t = new html2text($_POST['comments']);
 $h2t->width = 0;
 $h2t->_convert(false);
diff --git a/library/ajax/payment_ajax.php b/library/ajax/payment_ajax.php
index 09eb40993..efa4d069c 100644
--- a/library/ajax/payment_ajax.php
+++ b/library/ajax/payment_ajax.php
@@ -30,6 +30,15 @@
 require_once("../../interface/globals.php");
 require_once("$srcdir/sql.inc");
 require_once("$srcdir/formatting.inc.php");
+require_once("$srcdir/CsrfToken.php");
+
+if (!empty($_REQUEST)) {
+  if (!isset($_REQUEST['token'])) {
+    CsrfToken::noTokenFoundError();
+  } else if (!(CsrfToken::verifyCsrfToken($_POST['token']))) {
+      CsrfToken::incorrectToken();
+  }
+}
 //=================================
 if (isset($_REQUEST["ajax_mode"]))
  {
diff --git a/library/ajax/payment_ajax_jav.inc.php b/library/ajax/payment_ajax_jav.inc.php
index 6a34162e7..76616674f 100644
--- a/library/ajax/payment_ajax_jav.inc.php
+++ b/library/ajax/payment_ajax_jav.inc.php
@@ -108,7 +108,8 @@ function ajaxFunction(Source,SubmitOrSimple,SourceObject) {
      patient_code: Source=='patient' ? SourceObject.value : '',
     insurance_text_ajax: document.getElementById('type_code') ? document.getElementById('type_code').value : '',
 	encounter_patient_code:Source=='encounter' ? document.getElementById('hidden_patient_code').value : '',
-	submit_or_simple_type:SubmitOrSimple
+	submit_or_simple_type:SubmitOrSimple,
+	token: "<?php echo $_SESSION['token'];?>",
    },
    //async: false,
     success: function(thedata){
diff --git a/library/ajax/plan_setting.php b/library/ajax/plan_setting.php
index 9bbde956b..21c2ac2e0 100644
--- a/library/ajax/plan_setting.php
+++ b/library/ajax/plan_setting.php
@@ -21,7 +21,15 @@
 
 require_once(dirname(__FILE__) . "/../../interface/globals.php");
 require_once(dirname(__FILE__) . "/../clinical_rules.php");
+require_once("$srcdir/CsrfToken.php");
 
+if (!empty($_POST)) {
+  if (!isset($_POST['token'])) {
+    CsrfToken::noTokenFoundError();
+  } else if (!(CsrfToken::verifyCsrfToken($_POST['token']))) {
+      CsrfToken::incorrectToken();
+  }
+}
 //set the rule setting for patient (ensure all variables exist)
 if ($_POST['plan'] && $_POST['type'] && $_POST['setting'] && $_POST['patient_id']) {
   set_plan_activity_patient($_POST['plan'], $_POST['type'], $_POST['setting'], $_POST['patient_id']);
diff --git a/library/ajax/prescription_drugname_lookup.php b/library/ajax/prescription_drugname_lookup.php
index b6700c1c0..a4209bba0 100644
--- a/library/ajax/prescription_drugname_lookup.php
+++ b/library/ajax/prescription_drugname_lookup.php
@@ -16,6 +16,15 @@
 include_once("../../interface/globals.php");
 include_once("{$GLOBALS['srcdir']}/sql.inc");
 include_once("{$GLOBALS['srcdir']}/formdata.inc.php");
+require_once("$srcdir/CsrfToken.php");
+
+if (!empty($_GET)) {
+  if (!isset($_GET['token'])) {
+    CsrfToken::noTokenFoundError();
+  } else if (!(CsrfToken::verifyCsrfToken($_GET['token']))) {
+      CsrfToken::incorrectToken();
+  }
+}
 
 $q = formData("q","G",true);
 if (!$q) return;
diff --git a/library/ajax/rule_setting.php b/library/ajax/rule_setting.php
index 72b663d6d..895b4e358 100644
--- a/library/ajax/rule_setting.php
+++ b/library/ajax/rule_setting.php
@@ -21,6 +21,15 @@
 
 require_once(dirname(__FILE__) . "/../../interface/globals.php");
 require_once(dirname(__FILE__) . "/../clinical_rules.php");
+require_once("$srcdir/CsrfToken.php");
+
+if (!empty($_POST)) {
+  if (!isset($_POST['token'])) {
+    CsrfToken::noTokenFoundError();
+  } else if (!(CsrfToken::verifyCsrfToken($_POST['token']))) {
+      CsrfToken::incorrectToken();
+  }
+}
 
 //set the rule setting for patient (ensure all variables exist)
 if ($_POST['rule'] && $_POST['type'] && $_POST['setting'] && $_POST['patient_id']) {
diff --git a/library/ajax/status_report.php b/library/ajax/status_report.php
index a661a0aab..5e85cb03d 100644
--- a/library/ajax/status_report.php
+++ b/library/ajax/status_report.php
@@ -30,7 +30,15 @@
 
 require_once(dirname(__FILE__) . "/../../interface/globals.php");
 require_once(dirname(__FILE__) . "/../report_database.inc");
+require_once("$srcdir/CsrfToken.php");
 
+if (!empty($_POST)) {
+  if (!isset($_POST['token'])) {
+    CsrfToken::noTokenFoundError();
+  } else if (!(CsrfToken::verifyCsrfToken($_POST['token']))) {
+      CsrfToken::incorrectToken();
+  }
+}
 //  Collect/bookmark a new report id in report_results sql table and send it back.
 if (!empty($_POST['status_report_id'])) {
   echo getStatusReportDatabase($_POST['status_report_id']);
diff --git a/library/ajax/unset_session_ajax.php b/library/ajax/unset_session_ajax.php
index 67351727e..737331160 100644
--- a/library/ajax/unset_session_ajax.php
+++ b/library/ajax/unset_session_ajax.php
@@ -24,7 +24,15 @@
 
 require_once("../../interface/globals.php");
 require_once("../pid.inc");
+require_once("$srcdir/CsrfToken.php");
 
+if (!empty($_POST)) {
+  if (!isset($_POST['token'])) {
+    CsrfToken::noTokenFoundError();
+  } else if (!(CsrfToken::verifyCsrfToken($_POST['token']))) {
+      CsrfToken::incorrectToken();
+  }
+}
 //Setpid function is called on receiving an ajax request.
 if(($_POST['func']=="unset_pid"))
 {
diff --git a/library/ajax/user_settings.php b/library/ajax/user_settings.php
index ff206a678..66aa9b9fb 100644
--- a/library/ajax/user_settings.php
+++ b/library/ajax/user_settings.php
@@ -21,6 +21,15 @@
 
 require_once(dirname(__FILE__) . "/../../interface/globals.php");
 require_once(dirname(__FILE__) . "/../user.inc");
+require_once("$srcdir/CsrfToken.php");
+
+if (!empty($_POST)) {
+  if (!isset($_POST['token'])) {
+    CsrfToken::noTokenFoundError();
+  } else if (!(CsrfToken::verifyCsrfToken($_POST['token']))) {
+      CsrfToken::incorrectToken();
+  }
+}
 
 //If 'mode' is either a 1 or 0 and 'target' ends with _expand
 //  Then will update the appropriate user _expand flag
diff --git a/library/ajax/username_report_ajax.php b/library/ajax/username_report_ajax.php
index 6c1eede36..26b94c5ad 100644
--- a/library/ajax/username_report_ajax.php
+++ b/library/ajax/username_report_ajax.php
@@ -25,8 +25,18 @@
 require_once("$srcdir/sql.inc");
 require_once("$srcdir/formatting.inc.php");
 require_once("$srcdir/acl.inc");
+require_once("$srcdir/CsrfToken.php");
 require_once("$srcdir/patient.inc");
 $DateFormat = DateFormatRead();
+
+if (!empty($_POST)) {
+    if (!isset($_POST['token'])) {
+      CsrfToken::noTokenFoundError();
+    } else if (!(CsrfToken::verifyCsrfToken($_POST['token']))) {
+        die('Authentication failed.');
+    }
+}
+
 //make sure to get the dates
 if ( ! isset($_POST['from_date'])) {
 
diff --git a/library/options_listadd.inc b/library/options_listadd.inc
index 407aa1335..ba8cc3da0 100644
--- a/library/options_listadd.inc
+++ b/library/options_listadd.inc
@@ -159,6 +159,7 @@ $(document).ready(function(){
         $.getJSON("<?php echo $GLOBALS['webroot']; ?>/library/ajax/addlistitem.php",
                     {listid: listid,
 		     newitem: newitem,
+             token: "<?php echo $_SESSION['token'];?>",
 		     newitem_abbr: newitem_abbr},
                     function(jsondata, txtresponse) {
 		    	 if( jsondata.error == '' ){
diff --git a/library/restoreSession.php b/library/restoreSession.php
index 75a21a67b..48dc1e196 100644
--- a/library/restoreSession.php
+++ b/library/restoreSession.php
@@ -69,7 +69,7 @@ function printLogPrint(elem) {
  comments = win.printlogdata || win.document.body.innerHTML;
  top.restoreSession();
  $.post("<?php echo $GLOBALS['webroot']; ?>/library/ajax/log_print_action_ajax.php",
-  { comments: comments }
+  { comments: comments,  token: <?php echo $_SESSION['token'];?> }
  );
 <?php } ?>
  return true;
diff --git a/library/sanitize.inc.php b/library/sanitize.inc.php
index f61283315..71ae3fe41 100644
--- a/library/sanitize.inc.php
+++ b/library/sanitize.inc.php
@@ -43,6 +43,41 @@ function image_has_right_mime($image_properties) {
    
    return in_array($mime, $mime_types);
 }
+ 
+/**
+ * This function detects a MIME type for a file and check if it in the safe list of the allowed mime types.
+ * @param string $file - file location.
+ * @param array|null $accepted_files - array of mime types that allowed to upload.
+ */
+
+function isSafeFile($file)
+{
+  $safe_files =  array(
+  'application/pdf',
+  'image/jpeg',
+  'image/png',
+  'image/gif',
+  'application/msword',
+  'application/vnd.oasis.opendocument.spreadsheet',
+  'text/plain',
+  'image/*',
+  'text/*',
+  'audio/*',
+  'video/*'
+);
+    $mimetype  = mime_content_type($file);
+    if (in_array($mimetype, $safe_files)) {
+        return true;
+    } else {
+        $splitMimeType = explode('/', $mimetype);
+        $categoryType = $splitMimeType[0];
+        if (in_array($categoryType . '/*', $safe_files)) {
+            return true;
+        }
+    }
+
+    return false;
+}
 
 //image file extension check
 function image_has_right_extension($image_file_type, $extensions) {
@@ -55,5 +90,4 @@ function image_has_right_size($size) {
   return $size < 20971520;
 }
 
-
 ?>
diff --git a/modules/MIPS/clinical_measures.php b/modules/MIPS/clinical_measures.php
index d8f1e95ba..9593ea929 100644
--- a/modules/MIPS/clinical_measures.php
+++ b/modules/MIPS/clinical_measures.php
@@ -116,6 +116,7 @@ function runReport() {
   top.restoreSession();
   $.get(
     "ajax/collect_new_report_id.php",
+    { token: "<?php echo $_SESSION['token'];?>"},
     function(data) {
       // Set the report id in page form
       $("#form_new_report_id").attr("value", data);
@@ -133,7 +134,8 @@ function(data) {
           plan: $("#form_plan_filter").val(),
           labs: $("#labs_manual_entry").val(),
           pat_prov_rel: $("#form_pat_prov_rel").val(),
-          execute_report_id: $("#form_new_report_id").val()
+          execute_report_id: $("#form_new_report_id").val(),
+          token: "<?php echo $_SESSION['token'];?>"
         }
       );
     }
@@ -145,7 +147,7 @@ function collectStatus(report_id) {
   // Do not send the skip_timeout_reset parameter, so don't close window before report is done.
   $.post(
     "ajax/status_report.php",
-    { status_report_id: report_id },
+    { status_report_id: report_id, token: "<?php echo $_SESSION['token'];?>"  },
     function(data) {
       if(data == "PENDING") {
         // Place the pending string in the DOM
diff --git a/modules/nation_notes/nn_super_edit_layout.inc b/modules/nation_notes/nn_super_edit_layout.inc
index aa7537f68..a9dbab0f9 100644
--- a/modules/nation_notes/nn_super_edit_layout.inc
+++ b/modules/nation_notes/nn_super_edit_layout.inc
@@ -915,6 +915,7 @@ function setListItemOptions(lino, seq, init) {
   $.getScript('layout_listitems_ajax.php' +
     '?listid='  + encodeURIComponent(list_id) +
     '&target='  + encodeURIComponent(target)  +
+    '&token='   + <?php echo $_SESSION['token'];?>  +
     '&current=' + encodeURIComponent(current));
 }
 
@@ -1546,13 +1547,13 @@ $(document).ready(function(){
 
     // show the popup choice of lists
     var ShowLists = function(btnObj) {
-        window.open("./show_lists_popup.php", "lists", "width=300,height=500,scrollbars=yes");
+        window.open("./show_lists_popup.php?token=<?php echo $_SESSION['token'];?>", "lists", "width=300,height=500,scrollbars=yes");
         selectedfield = btnObj;
     };
     
     // show the popup choice of groups
     var ShowGroups = function(btnObj) {
-        window.open("./show_groups_popup.php?layout_id=<?php echo $layout_id;?>", "groups", "width=300,height=300,scrollbars=yes");
+        window.open("./show_groups_popup.php?layout_id=<?php echo $layout_id;?>&token=<?php echo $_SESSION['token'];?>", "groups", "width=300,height=300,scrollbars=yes");
     };
     
     // Show context DD for NationNotes
@@ -1629,7 +1630,7 @@ function FieldIDClicked(elem) {
   // If the field ID is for the local form, allow direct entry.
   if (srcval == 'F') return;
   // Otherwise pop up the selection window.
-  window.open('./field_id_popup.php?source=' + srcval, 'fields',
+  window.open('./field_id_popup.php?source=' + srcval + '&token=' + <?php echo $_SESSION['token'];?>, 'fields',
     'width=600,height=600,scrollbars=yes');
 <?php } ?>
 }
diff --git a/patient_portal/import_template.php b/patient_portal/import_template.php
index 8dace706c..4a25b038b 100644
--- a/patient_portal/import_template.php
+++ b/patient_portal/import_template.php
@@ -19,15 +19,28 @@
 $sanitize_all_escapes=true;
 $fake_register_globals=false;
 require_once("../interface/globals.php"); 
+require_once("../library/CsrfToken.php");
 
+if (!empty($_POST)) {
+    if (!isset($_POST['token'])) {
+        CsrfToken::noTokenFoundError();
+    } else if (!(CsrfToken::verifyCsrfToken($_POST['token']))) {
+        CsrfToken::incorrectToken();
+    }
+}
+$rebuilt = '';
+if (isset($_POST['docid'])) {
+    $rebuilt = validateFile($_POST['docid']);
+}
+// die($rebuilt);
 if($_POST['mode'] == 'get'){
-    echo file_get_contents($_POST['docid']);
+    echo file_get_contents($rebuilt);
     exit;
 } else if ($_POST['mode'] == 'save') {
-    file_put_contents($_POST['docid'], $_POST['content']);
+    file_put_contents($rebuilt, $_POST['content']);
     exit(true);
 } else if ($_POST['mode'] == 'delete') {
-    unlink($_POST['docid']);
+    unlink($rebuilt);
     exit(true);
 }
 // so it is an import
@@ -36,7 +49,8 @@
     define("UPLOAD_DIR", $GLOBALS['OE_SITE_DIR'] .  '/documents/onsite_portal_documents/templates/');
 } else {
     if ($_POST['up_dir'] > 0) {
-        define("UPLOAD_DIR", $GLOBALS['OE_SITE_DIR'] .  '/documents/onsite_portal_documents/templates/'. $_POST['up_dir'] . '/');
+        $dir = preg_replace("/[^A-Z0-9._-]/i", "_", $_POST['up_dir']);
+        define("UPLOAD_DIR", $GLOBALS['OE_SITE_DIR'] .  '/documents/onsite_portal_documents/templates/'. $dir . '/');
     } else {
         define("UPLOAD_DIR", $GLOBALS['OE_SITE_DIR'] .  '/documents/onsite_portal_documents/templates/');
 }
@@ -71,4 +85,29 @@
     chmod(UPLOAD_DIR . $name, 0644);
     header("location: " . $_SERVER['HTTP_REFERER']);
 }
+function validateFile($filename = '')
+{
+    $knownPath = $GLOBALS['OE_SITE_DIR'] . '/documents/onsite_portal_documents/templates/'; // default path
+    $unknown = str_replace("\\", "/", realpath($filename)); // normalize requested path
+    $parts = pathinfo($unknown);
+    $unkParts = explode('/', $parts['dirname']);
+    $ptpid = $unkParts[count($unkParts) - 1]; // is this a patient or global template
+    $ptpid = ($ptpid == 'templates') ? '' : ($ptpid . '/'); // last part should be pid or template
+    $rebuiltPath = $knownPath . $ptpid . $parts['filename'] . '.tpl';
+    if (file_exists($rebuiltPath) === false || $parts['extension'] != 'tpl') {
+        redirect();
+    } elseif (realpath($rebuiltPath) != realpath($filename)) { // these need to match to be valid request
+        redirect();
+    } elseif (stripos(realpath($filename), realpath($knownPath)) === false) { // this needs to pass be a valid request
+        redirect();
+    }
+
+    return $rebuiltPath;
+}
+
+function redirect()
+{
+    header('HTTP/1.0 404 Not Found');
+    die();
+}
 ?>
\ No newline at end of file
diff --git a/patient_portal/import_template_ui.php b/patient_portal/import_template_ui.php
index de651c248..5d96d5f7b 100644
--- a/patient_portal/import_template_ui.php
+++ b/patient_portal/import_template_ui.php
@@ -19,6 +19,16 @@
 $sanitize_all_escapes=true;
 $fake_register_globals=false;
 require_once("../interface/globals.php");
+require_once("../library/CsrfToken.php");
+if (!empty($_POST)) {
+    if (!isset($_POST['token'])) {
+        header('HTTP/1.1 401 Unauthorized');
+        error_log('WARNING: A POST request detected with no csrf token found');
+        die('Authentication failed.');
+    } else if (!(CsrfToken::verifyCsrfToken($_POST['token']))) {
+        die('Authentication failed.');
+    }
+}
 $getdir = isset($_POST['sel_pt']) ? $_POST['sel_pt'] : 0;
 if( $getdir > 0){
     $tdir = $GLOBALS['OE_SITE_DIR'] .  '/documents/onsite_portal_documents/templates/' . $getdir . '/';
@@ -120,7 +130,7 @@ function getDocument(docname, mode, content){
             $.ajax({
                 type: "POST",
                 url: liburl,
-                data: {docid: docname, mode: mode,content: content},
+                data: {docid: docname, mode: mode,content: content, token: "<?php echo $_SESSION['token'];?>"},
                 beforeSend: function(xhr){
                     console.log("Please wait..."+content);
                 },
@@ -192,6 +202,7 @@ function getDocument(docname, mode, content){
 <button class="btn btn-primary" type="button" onclick="location.href='./patient/provider'"><?php echo xlt('Home'); ?></button>
 <input type='hidden' name="up_dir" value='<?php global $getdir;
 echo $getdir;?>' />
+<input type='hidden' name='token' value="<?php echo $_SESSION['token'];?>" />
 <button class="btn btn-success" type="submit" name="upload_submit" id="upload_submit"><?php echo xlt('Upload Template for'); ?> <span style="font-size:14px;" class="label label-default" id='ptstatus'></span></button>
 
 </form>
@@ -200,6 +211,7 @@ function getDocument(docname, mode, content){
 
 <div class='col col-md col-lg'>
 <form id = "edit_form" name = "edit_form" class="form-inline" action="" method="post">
+<input type='hidden' name='token' value="<?php echo $_SESSION['token'];?>" />
  <div class="form-group">
  <label for="sel_pt"><?php echo xlt('Patient'); ?></label>
  <select class="form-control" id="sel_pt" name="sel_pt">
diff --git a/templates/documents/general_view.php b/templates/documents/general_view.php
index b85b8e968..619888610 100644
--- a/templates/documents/general_view.php
+++ b/templates/documents/general_view.php
@@ -85,6 +85,7 @@ function import_ccr(docid)  {
        data:
        {
          ccr_ajax : "yes",
+         token: "<?php echo $_SESSION['token'];?>",
          document_id : docid,
        },
        success: function(data){
diff --git a/templates/prescription/general_edit.php b/templates/prescription/general_edit.php
index 4291d5183..3f0e516bd 100644
--- a/templates/prescription/general_edit.php
+++ b/templates/prescription/general_edit.php
@@ -399,7 +399,7 @@ function cancelParlookup () {
 }
 
 $().ready(function() {
-    $("#drug").autocomplete('library/ajax/prescription_drugname_lookup.php',
+    $("#drug").autocomplete('library/ajax/prescription_drugname_lookup.php?token=<?php echo $_SESSION['token'];?> ',
                             {
                             width: 200,
                             scrollHeight: 100,