diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/additional-contents.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/additional-contents.tt
index 69c30eaf57..ad0aab33fc 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/additional-contents.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/additional-contents.tt
@@ -201,6 +201,7 @@
     </div>
 
     <form id="add_additional_content" method="post" action="/cgi-bin/koha/tools/additional-contents.pl" class="validate">
+        [% INCLUDE 'csrf-token.inc' %]
         <input type="hidden" name="op" value="add_validate" />
         <input type="hidden" name="category" value="[% category | html %]" />
         <input type="hidden" name="code" value="[% additional_content.code | html %]" />
@@ -452,6 +453,7 @@
                 <fieldset class="action"><input type="submit" class="btn btn-primary" value="Delete selected" /></fieldset>
             </form>
             <form action="/cgi-bin/koha/tools/additional-contents.pl" method="post" id="delete_single">
+                [% INCLUDE 'csrf-token.inc' %]
                 <input type="hidden" id="del_op" name="op" value="delete_confirmed" />
                 <input type="hidden" id="del_category" name="category" value="[% category | html %]" />
                 <input type="hidden" id="del_ids" name="ids" />
diff --git a/tools/additional-contents.pl b/tools/additional-contents.pl
index 46f358f9d7..e066bb8fee 100755
--- a/tools/additional-contents.pl
+++ b/tools/additional-contents.pl
@@ -28,7 +28,7 @@ use C4::Auth qw(get_template_and_user);
 use C4::Koha;
 use C4::Context;
 use C4::Log qw( logaction );
-use C4::Output qw(output_html_with_http_headers);
+use C4::Output qw(output_html_with_http_headers output_and_exit_if_error);
 use C4::Languages qw(getTranslatedLanguages);
 use Koha::DateUtils qw( dt_from_string output_pref );
 
@@ -84,6 +84,7 @@ if ( $op eq 'add_form' ) {
     );
 }
 elsif ( $op eq 'add_validate' ) {
+    output_and_exit_if_error($cgi, $cookie, $template, { check => 'csrf_token' });
     my $location   = $cgi->param('location');
     my $code       = $cgi->param('code');
     my $branchcode = $cgi->param('branchcode') || undef;
@@ -199,6 +200,7 @@ elsif ( $op eq 'add_validate' ) {
     }
 }
 elsif ( $op eq 'delete_confirmed' ) {
+    output_and_exit_if_error($cgi, $cookie, $template, { check => 'csrf_token' });
     my @ids = $cgi->multi_param('ids');
     my $deleted = eval {