diff --git a/agent/modals/payment/invoice_apply_credit.php b/agent/modals/payment/invoice_apply_credit.php
index 89734089..7a0514b5 100644
--- a/agent/modals/payment/invoice_apply_credit.php
+++ b/agent/modals/payment/invoice_apply_credit.php
@@ -30,6 +30,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="invoice_id" value="<?php echo $invoice_id; ?>">
     <div class="modal-body">
 
diff --git a/agent/modals/payment/payment_add.php b/agent/modals/payment/payment_add.php
index dcfa62c7..e625b942 100644
--- a/agent/modals/payment/payment_add.php
+++ b/agent/modals/payment/payment_add.php
@@ -43,6 +43,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="invoice_id" value="<?php echo $invoice_id; ?>">
     <input type="hidden" name="balance" value="<?php echo $balance; ?>">
     <input type="hidden" name="currency_code" value="<?php echo $client_currency_code; ?>">
diff --git a/agent/modals/payment/payment_bulk_add.php b/agent/modals/payment/payment_bulk_add.php
index 41f93ecc..a4fe1edb 100644
--- a/agent/modals/payment/payment_bulk_add.php
+++ b/agent/modals/payment/payment_bulk_add.php
@@ -41,6 +41,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
     <input type="hidden" name="balance" value="<?php echo $balance; ?>">
     <input type="hidden" name="currency_code" value="<?php echo $client_currency_code; ?>">
diff --git a/agent/modals/payment/payment_edit.php b/agent/modals/payment/payment_edit.php
index 38d996be..9aee0218 100644
--- a/agent/modals/payment/payment_edit.php
+++ b/agent/modals/payment/payment_edit.php
@@ -23,6 +23,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="payment_id" value="<?= $payment_id ?>">
     <div class="modal-body">
 
diff --git a/agent/modals/payment/payment_export.php b/agent/modals/payment/payment_export.php
index 512d6cd0..bd861fbd 100644
--- a/agent/modals/payment/payment_export.php
+++ b/agent/modals/payment/payment_export.php
@@ -15,6 +15,7 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="client_id" value="<?= $client_id ?>">
 
     <div class="modal-body">
diff --git a/agent/payments.php b/agent/payments.php
index 551a3c3c..936b03fe 100644
--- a/agent/payments.php
+++ b/agent/payments.php
@@ -254,7 +254,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                                                 <i class="fas fa-fw fa-edit mr-2"></i>Edit
                                             </a>
                                             <div class="dropdown-divider"></div>
-                                            <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_payment=<?= $payment_id ?>">
+                                            <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_payment=<?= $payment_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                                 <i class="fas fa-fw fa-trash mr-2"></i>Delete
                                             </a>
                                         </div>
diff --git a/agent/post/payment.php b/agent/post/payment.php
index 9060b9a5..49bc069d 100644
--- a/agent/post/payment.php
+++ b/agent/post/payment.php
@@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
 if (isset($_POST['add_payment'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_sales', 2);
     enforceUserPermission('module_financial', 2);
 
@@ -173,6 +175,8 @@ if (isset($_POST['add_payment'])) {
 
 if (isset($_POST['edit_payment'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_sales', 3);
     enforceUserPermission('module_financial', 3);
 
@@ -198,6 +202,8 @@ Apply Credit Not ready for use 2025-08-27 - JQ
 
 if (isset($_POST['apply_credit'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_sales', 2);
     enforceUserPermission('module_financial', 2);
 
@@ -685,6 +691,8 @@ if (isset($_GET['add_payment_stripe'])) {
 
 if (isset($_POST['add_bulk_payment'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
     enforceUserPermission('module_sales', 2);
     enforceUserPermission('module_financial', 2);
 
@@ -817,6 +825,8 @@ if (isset($_POST['add_bulk_payment'])) {
 
 if (isset($_GET['delete_payment'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     enforceUserPermission('module_sales', 2);
     enforceUserPermission('module_financial', 2);
 
@@ -871,6 +881,10 @@ if (isset($_GET['delete_payment'])) {
 
 if (isset($_POST['export_payments_csv'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
+
+    enforceUserPermission('module_financial');
+
     if ($_POST['client_id']) {
         $client_id = intval($_POST['client_id']);
         $client_query = "AND invoice_client_id = $client_id";