diff --git a/app/http/endpoints/api/token.go b/app/http/endpoints/api/token.go
index 8c74e7c..110d4a6 100644
--- a/app/http/endpoints/api/token.go
+++ b/app/http/endpoints/api/token.go
@@ -13,7 +13,7 @@ import (
 func TokenHandler(ctx *gin.Context) {
 	session := sessions.Default(ctx)
 	userId := utils.GetUserId(session)
- //TODO : CSRF
+
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
 		"userid": strconv.FormatUint(userId, 10),
 	})
diff --git a/app/http/middleware/verifyheader.go b/app/http/middleware/verifyheader.go
new file mode 100644
index 0000000..823fed0
--- /dev/null
+++ b/app/http/middleware/verifyheader.go
@@ -0,0 +1,12 @@
+package middleware
+
+import (
+	"github.com/TicketsBot/GoPanel/utils"
+	"github.com/gin-gonic/gin"
+)
+
+func VerifyXTicketsHeader(ctx *gin.Context) {
+	if ctx.GetHeader("x-tickets") != "true" {
+		ctx.AbortWithStatusJSON(400, utils.ErrorStr("Missing x-tickets header"))
+	}
+}
diff --git a/app/http/server.go b/app/http/server.go
index 936f071..fb963b3 100644
--- a/app/http/server.go
+++ b/app/http/server.go
@@ -59,7 +59,7 @@ func StartServer() {
 
 	authorized := router.Group("/", middleware.AuthenticateCookie)
 	{
-		authorized.POST("/token", api.TokenHandler)
+		authorized.POST("/token", middleware.VerifyXTicketsHeader, api.TokenHandler)
 
 		authenticateGuildAdmin := authorized.Group("/", middleware.AuthenticateGuild(false, permission.Admin))
 		authenticateGuildSupport := authorized.Group("/", middleware.AuthenticateGuild(false, permission.Support))
@@ -80,7 +80,7 @@ func StartServer() {
 		authorized.GET("/webchat", manage.WebChatWs)
 	}
 
-	apiGroup := router.Group("/api", middleware.AuthenticateToken)
+	apiGroup := router.Group("/api", middleware.VerifyXTicketsHeader, middleware.AuthenticateToken)
 	guildAuthApiAdmin := apiGroup.Group("/:id", middleware.AuthenticateGuild(true, permission.Admin))
 	guildAuthApiSupport := apiGroup.Group("/:id", middleware.AuthenticateGuild(true, permission.Support))
 	{
diff --git a/public/static/js/auth.js b/public/static/js/auth.js
index a9b20e7..f70292f 100644
--- a/public/static/js/auth.js
+++ b/public/static/js/auth.js
@@ -1,8 +1,11 @@
 async function getToken() {
     let token = window.localStorage.getItem('token');
     if (token == null) {
-        let res = await axios.post('/token', {
-            withCredentials: true
+        let res = await axios.post('/token', undefined, {
+            withCredentials: true,
+            headers: {
+                'x-tickets': 'true'
+            }
         });
 
         if (res.status !== 200 || !res.data.success) {
@@ -25,6 +28,7 @@ function clearLocalStorage() {
 async function setDefaultHeader() {
     const token = await getToken();
     axios.defaults.headers.common['Authorization'] = token;
+    axios.defaults.headers.common['x-tickets'] = 'true'; // abritrary header name and value
     axios.defaults.validateStatus = false;
 }