diff --git a/api_key_add_modal.php b/api_key_add_modal.php
index a06dc3aa..6249e6a0 100644
--- a/api_key_add_modal.php
+++ b/api_key_add_modal.php
@@ -13,6 +13,7 @@ $key = keygen();
       <form action="post.php" method="post" autocomplete="off">
         <div class="modal-body bg-white">
 
+          <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
           <input type="hidden" name="key" value="<?php echo $key ?>">
 
           <div class="form-group">
diff --git a/post.php b/post.php
index f83982e7..8f4488f6 100644
--- a/post.php
+++ b/post.php
@@ -419,6 +419,9 @@ if(isset($_POST['add_api_key'])){
       exit();
     }
 
+    // CSRF Check
+    validateCSRFToken($_POST['csrf_token']);
+
     $secret = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['key'])));
     $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
     $expire = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['expire'])));
@@ -446,17 +449,19 @@ if(isset($_GET['delete_api_key'])){
       exit();
     }
 
+    // CSRF Check
+    validateCSRFToken($_GET['csrf_token']);
+
     $api_key_id = intval($_GET['delete_api_key']);
 
     // Get API Key Name
-    $sql = mysqli_query($mysqli,"SELECT * FROM api_keys WHERE api_key_id = $api_key_id AND company_id = $session_company_id");
-    $row = mysqli_fetch_array($sql);
+    $row = mysqli_fetch_array(mysqli_query($mysqli,"SELECT * FROM api_keys WHERE api_key_id = $api_key_id AND company_id = $session_company_id"));
     $name = $row['api_key_name'];
 
     mysqli_query($mysqli,"DELETE FROM api_keys WHERE api_key_id = $api_key_id AND company_id = $session_company_id");
 
     // Logging   
-    mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'API Key', log_action = 'Delete', log_description = '$session_name deleted user $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent',  log_user_id = $session_user_id, company_id = $session_company_id");
+    mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'API Key', log_action = 'Delete', log_description = '$session_name deleted API key $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent',  log_user_id = $session_user_id, company_id = $session_company_id");
 
     $_SESSION['alert_type'] = "danger";
     $_SESSION['alert_message'] = "API Key <strong>$name</strong> deleted";
diff --git a/settings-api.php b/settings-api.php
index 0375ae15..0068f9f7 100644
--- a/settings-api.php
+++ b/settings-api.php
@@ -81,7 +81,7 @@
                   <i class="fas fa-ellipsis-h"></i>
                 </button>
                 <div class="dropdown-menu">
-                  <a class="dropdown-item text-danger" href="post.php?delete_api_key=<?php echo $api_key_id; ?>">Revoke</a>
+                  <a class="dropdown-item text-danger" href="post.php?delete_api_key=<?php echo $api_key_id; ?>&csrf_token=<?php echo $_SESSION['csrf_token'] ?>">Revoke</a>
                 </div>
               </div>   
             </td>