diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/sco/sco-main.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/sco/sco-main.tt
index a2ed9c4d43..f7fae7bb54 100644
--- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/sco/sco-main.tt
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/sco/sco-main.tt
@@ -204,7 +204,7 @@
                 </div> <!-- / .span12/12 -->
                 [% IF ( display_patron_image ) %]
                     <div class="span2">
-                        <img src="/cgi-bin/koha/sco/sco-patron-image.pl?borrowernumber=[% borrowernumber %]" alt="" />
+                        <img src="/cgi-bin/koha/sco/sco-patron-image.pl?borrowernumber=[% borrowernumber %]&csrf_token=[% csrf_token %]" alt="" />
                     </div>
                 [% END %]
             </div> <!-- / .row-fluid -->
diff --git a/opac/sco/sco-main.pl b/opac/sco/sco-main.pl
index 6518c31eaf..4153277fdb 100755
--- a/opac/sco/sco-main.pl
+++ b/opac/sco/sco-main.pl
@@ -34,7 +34,6 @@
 use Modern::Perl;
 
 use CGI qw ( -utf8 );
-use Digest::MD5 qw(md5_base64);
 
 use C4::Auth qw(get_template_and_user checkpw);
 use C4::Koha;
@@ -48,6 +47,7 @@ use Koha::DateUtils qw( dt_from_string );
 use Koha::Acquisition::Currencies;
 use Koha::Patron::Images;
 use Koha::Patron::Messages;
+use Koha::Token;
 
 my $query = new CGI;
 
@@ -302,6 +302,7 @@ if ($borrower->{cardnumber}) {
         $template->param(
             display_patron_image => 1,
             cardnumber           => $borrower->{cardnumber},
+            csrf_token           => Koha::Token->new->generate_csrf( { session_id => scalar $query->cookie('CGISESSID') . $borrower->{cardnumber}, id => $borrower->{userid}} ),
         ) if $patron_image;
     }
 } else {
diff --git a/opac/sco/sco-patron-image.pl b/opac/sco/sco-patron-image.pl
index e76620be7d..dc6fbc871a 100755
--- a/opac/sco/sco-patron-image.pl
+++ b/opac/sco/sco-patron-image.pl
@@ -22,6 +22,8 @@ use warnings;
 use C4::Service;
 use C4::Members;
 use Koha::Patron::Images;
+use Koha::Patrons;
+use Koha::Token;
 
 my ($query, $response) = C4::Service->init(circulate => 'self_checkout');
 
@@ -35,10 +37,28 @@ unless (C4::Context->preference('ShowPatronImageInWebBasedSelfCheck')) {
 }
 
 my ($borrowernumber) = C4::Service->require_params('borrowernumber');
+my ($csrf_token) = C4::Service->require_params('csrf_token');
 
-my $patron_image = Koha::Patron::Images->find($borrowernumber);
+my $patron = Koha::Patrons->find( $borrowernumber );
+my $patron_image = $patron->image;
 
 if ($patron_image) {
+
+    unless (
+        Koha::Token->new->check_csrf(
+            {
+                session_id => scalar $query->cookie('CGISESSID')
+                  . $patron->cardnumber,
+                id => $patron->userid,
+                token => $csrf_token,
+            }
+        )
+      )
+    {
+
+        print $query->header(-type => 'text/plain', -status => '403 Forbidden');
+        exit;
+    }
     print $query->header(
         -type           => $patron_image->mimetype,
         -Content_Length => length( $patron_image->imagefile )