diff --git a/post/setting.php b/post/setting.php
index 3df54650..25e59e1e 100644
--- a/post/setting.php
+++ b/post/setting.php
@@ -331,6 +331,7 @@ if (isset($_GET['generate_cron_key'])) {
 
 if (isset($_POST['edit_online_payment_settings'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
     validateAdminRole();
 
     $config_stripe_enable = intval($_POST['config_stripe_enable']);
diff --git a/settings_online_payment.php b/settings_online_payment.php
index f8eb017e..e9e0157f 100644
--- a/settings_online_payment.php
+++ b/settings_online_payment.php
@@ -11,6 +11,7 @@ require_once "inc_all_settings.php";
         </div>
         <div class="card-body">
             <form action="post.php" method="post" autocomplete="off">
+                <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
 
                 <div class="form-group">
                     <div class="custom-control custom-switch">
@@ -53,9 +54,9 @@ require_once "inc_all_settings.php";
                                 $sql_accounts = mysqli_query($mysqli, "SELECT * FROM accounts LEFT JOIN account_types ON account_types.account_type_id = accounts.account_type WHERE account_type_parent = 1 AND account_archived_at IS NULL ORDER BY account_name ASC");
                                 while ($row = mysqli_fetch_array($sql_accounts)) {
                                     $account_id = intval($row['account_id']);
-                                    $account_name = nullable_htmlentities($row['account_name']); 
+                                    $account_name = nullable_htmlentities($row['account_name']);
                                     ?>
-                                        
+
                                     <option value="<?php echo $account_id ?>" <?php if ($account_id == $config_stripe_account) { echo "selected"; } ?>><?php echo $account_name ?></option>
                                 <?php
                                 }