diff --git a/app/Filters.scala b/app/Filters.scala
new file mode 100644
index 000000000..0abf16491
--- /dev/null
+++ b/app/Filters.scala
@@ -0,0 +1,6 @@
+import javax.inject.Inject
+
+import play.api.http.DefaultHttpFilters
+import play.filters.csrf.CSRFFilter
+
+class Filters @Inject()(csrfFilters: CSRFFilter) extends DefaultHttpFilters(csrfFilters)
diff --git a/app/assets/stylesheets/_project.scss b/app/assets/stylesheets/_project.scss
index c98c98a79..2d8e0c632 100755
--- a/app/assets/stylesheets/_project.scss
+++ b/app/assets/stylesheets/_project.scss
@@ -14,6 +14,16 @@
   margin-bottom: 10px;
 }
 
+.form-channel-delete {
+  margin: 0;
+  display: inline;
+}
+
+.form-inline {
+  margin: 0;
+  display: inline;
+}
+
 .version-header {
   position: relative;
   margin-top: 0;
diff --git a/app/controllers/Organizations.scala b/app/controllers/Organizations.scala
index aea24efd7..ee16e78aa 100755
--- a/app/controllers/Organizations.scala
+++ b/app/controllers/Organizations.scala
@@ -52,25 +52,30 @@ class Organizations @Inject()(forms: OreForms,
     * @return Redirect to organization page
     */
   def create() = UserLock() { implicit request =>
-    val user = request.user
-    val failCall = routes.Organizations.showCreator()
-    if (user.ownedOrganizations.size >= this.createLimit)
-      BadRequest
-    else if (user.isLocked)
-      Redirect(failCall).withError("error.user.locked")
-    else {
-      this.forms.OrganizationCreate.bindFromRequest().fold(
-        hasErrors =>
-          FormError(failCall, hasErrors),
-        formData => {
-          this.organizations.create(formData.name, user.id.get, formData.build()) match {
-            case Left(error) =>
-              Redirect(failCall).withError(error)
-            case Right(organization) =>
-              Redirect(routes.Users.showProjects(organization.name, None))
+    if (true) {
+      Redirect(routes.Application.showHome(None, None, None, None, None))
+        .withError("Creation of new Organizations is temporarily disabled.")
+    } else {
+      val user = request.user
+      val failCall = routes.Organizations.showCreator()
+      if (user.ownedOrganizations.size >= this.createLimit)
+        BadRequest
+      else if (user.isLocked)
+        Redirect(failCall).withError("error.user.locked")
+      else {
+        this.forms.OrganizationCreate.bindFromRequest().fold(
+          hasErrors =>
+            FormError(failCall, hasErrors),
+          formData => {
+            this.organizations.create(formData.name, user.id.get, formData.build()) match {
+              case Left(error) =>
+                Redirect(failCall).withError(error)
+              case Right(organization) =>
+                Redirect(routes.Users.showProjects(organization.name, None))
+            }
           }
-        }
-      )
+        )
+      }
     }
   }
 
diff --git a/app/controllers/project/Projects.scala b/app/controllers/project/Projects.scala
index f2c161831..572fa2d72 100755
--- a/app/controllers/project/Projects.scala
+++ b/app/controllers/project/Projects.scala
@@ -109,8 +109,14 @@ class Projects @Inject()(stats: StatTracker,
       case None =>
         Redirect(self.showCreator())
       case Some(pendingProject) =>
-        pendingProject.settings.save(pendingProject.underlying, this.forms.ProjectSave.bindFromRequest().get)
-        Ok(views.invite(pendingProject))
+        this.forms.ProjectSave.bindFromRequest().fold(
+          hasErrors =>
+            FormError(self.showCreator(), hasErrors),
+          formData => {
+            pendingProject.settings.save(pendingProject.underlying, formData)
+            Ok(views.invite(pendingProject))
+          }
+        )
     }
   }
 
@@ -418,8 +424,14 @@ class Projects @Inject()(stats: StatTracker,
     */
   def save(author: String, slug: String) = SettingsEditAction(author, slug) { implicit request =>
     val project = request.project
-    project.settings.save(project, this.forms.ProjectSave.bindFromRequest().get)
-    Redirect(self.show(author, slug))
+    this.forms.ProjectSave.bindFromRequest().fold(
+      hasErrors =>
+        FormError(self.showSettings(author, slug), hasErrors),
+      formData => {
+        project.settings.save(project, formData)
+        Redirect(self.show(author, slug))
+      }
+    )
   }
 
   /**
diff --git a/app/form/OreForms.scala b/app/form/OreForms.scala
index 847a552c3..d2c40f728 100755
--- a/app/form/OreForms.scala
+++ b/app/form/OreForms.scala
@@ -1,5 +1,6 @@
 package form
 
+import java.net.{MalformedURLException, URL}
 import javax.inject.Inject
 
 import form.organization.{OrganizationAvatarUpdate, OrganizationMembersUpdate, OrganizationRoleSetBuilder}
@@ -18,6 +19,20 @@ import play.api.data.Forms._
 //noinspection ConvertibleToMethodValue
 class OreForms @Inject()(implicit config: OreConfig, factory: ProjectFactory) {
 
+  val url = text verifying("error.url.invalid", text => {
+    if (text.isEmpty)
+      true
+    else {
+      try {
+        new URL(text)
+        true
+      } catch {
+        case _: MalformedURLException =>
+          false
+      }
+    }
+  })
+
   /**
     * Submits a member to be removed from a Project.
     */
@@ -42,10 +57,10 @@ class OreForms @Inject()(implicit config: OreConfig, factory: ProjectFactory) {
     */
   lazy val ProjectSave = Form(mapping(
     "category" -> text,
-    "issues" -> text,
-    "source" -> text,
+    "issues" -> url,
+    "source" -> url,
     "license-name" -> text,
-    "license-url" -> text,
+    "license-url" -> url,
     "description" -> text,
     "users" -> list(number),
     "roles" -> list(text),
@@ -79,7 +94,7 @@ class OreForms @Inject()(implicit config: OreConfig, factory: ProjectFactory) {
     */
   lazy val OrganizationUpdateAvatar = Form(mapping(
     "avatar-method" -> nonEmptyText,
-    "avatar-url" -> optional(nonEmptyText)
+    "avatar-url" -> optional(url)
   )(OrganizationAvatarUpdate.apply)(OrganizationAvatarUpdate.unapply))
 
   /**
diff --git a/app/views/bootstrap/layout.scala.html b/app/views/bootstrap/layout.scala.html
index e8d60b8da..42a149a1a 100755
--- a/app/views/bootstrap/layout.scala.html
+++ b/app/views/bootstrap/layout.scala.html
@@ -50,6 +50,7 @@
             <script type="text/javascript" src="@routes.Assets.at("javascripts/spongie.js")"></script>
             <script type="text/javascript" src="@routes.Assets.at("javascripts/main.js")"></script>
             <script>hljs.initHighlightingOnLoad();</script>
+            <script>csrf = '@play.filters.csrf.CSRF.getToken.get.value'</script>
             <script>
                     (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
                                 (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
diff --git a/app/views/createOrganization.scala.html b/app/views/createOrganization.scala.html
index 0cef0b899..eff414c20 100755
--- a/app/views/createOrganization.scala.html
+++ b/app/views/createOrganization.scala.html
@@ -3,6 +3,7 @@
 @import models.user.role.OrganizationRole
 @import ore.OreConfig
 @import views.html.helper.form
+@import views.html.helper.CSRF
 @()(implicit messages: Messages, flash: Flash, request: Request[_], service: ModelService, config: OreConfig,
         userBase: UserBase)
 
@@ -26,6 +27,7 @@ <h3 class="panel-title">
                         <p class="minor"> @messages("org.info")</p>
 
                         @form(action = routes.Organizations.create(), 'id -> "form-continue") {
+                            @CSRF.formField
                             <div class="setting">
                                 <div class="setting-description">
                                     <h4>@messages("org.name")</h4>
diff --git a/app/views/projects/channels/list.scala.html b/app/views/projects/channels/list.scala.html
index 087317ed1..3423decf5 100755
--- a/app/views/projects/channels/list.scala.html
+++ b/app/views/projects/channels/list.scala.html
@@ -1,11 +1,24 @@
-@import controllers.project.{routes => projectRoutes}
 @import db.ModelService
 @import db.impl.access.UserBase
 @import models.project.{Channel, Project}
 @import ore.OreConfig
+@import views.html.helper.form
+@import views.html.helper.CSRF
 @(project: Project, channels: Seq[Channel])(implicit messages: Messages, flash: Flash, request: Request[_],
         service: ModelService, config: OreConfig, users: UserBase)
 
+@projectRoutes = @{
+    controllers.project.routes.Projects
+}
+
+@channelRoutes = @{
+    controllers.project.routes.Channels
+}
+
+@versionRoutes = @{
+    controllers.project.routes.Versions
+}
+
 @bootstrap.layout(messages("channel.list.page-title", project.ownerName, project.slug)) {
 
     <script type="text/javascript" src="@routes.Assets.at("javascripts/channelManage.js")"></script>
@@ -15,7 +28,7 @@
         $(function() {
             initChannelManager(
                     "#channel-new", "", "@config.defaultChannelColor.hex", "New channel",
-                    "@projectRoutes.Channels.create(project.ownerName, project.slug)",
+                    "@channelRoutes.create(project.ownerName, project.slug)",
                     "post", "Create channel"
             );
         });
@@ -54,21 +67,32 @@ <h3 class="panel-title">@messages("channel.list.title")</h3>
                                                 <i data-toggle="modal" data-target="#channel-settings"
                                                    id="channel-edit-@channel.id" class="fa fa-edit"></i>
                                             </a>
-                                            <a id="channel-delete-@channel.id"
-                                              @if(channels.size == 1) {
-                                                  data-toggle="tooltip" data-placement="top"
-                                                  title="@messages("channel.edit.cannotDeleteLast")"
-                                              } else {
+
+                                            @if(channels.size == 1) {
+                                                <a id="channel-delete-@channel.id" data-toggle="tooltip"
+                                                   data-placement="top"
+                                                   title="@messages("channel.edit.cannotDeleteLast")">
+                                                    <i class="fa fa-trash"></i>
+                                                </a>
+                                            } else {
                                                 @if(channel.versions.nonEmpty) {
-                                                    data-toggle="modal" data-target="#modal-delete"
+                                                    <a id="channel-delete-@channel.id" data-toggle="modal"
+                                                       data-target="#modal-delete">
+                                                        <i class="fa fa-trash"></i>
+                                                    </a>
                                                 } else {
-                                                    href="@projectRoutes.Channels.delete(
-                                                        project.ownerName, project.slug, channel.name)"
+                                                    @form(action = channelRoutes.delete(
+                                                        project.ownerName, project.slug, channel.name),
+                                                        'id -> s"form-delete-${channel.id.get}",
+                                                        'class -> "form-channel-delete") {
+                                                        @CSRF.formField
+                                                        <a id="channel-delete-@channel.id.get" class="safe-delete"
+                                                           data-channel-id="@channel.id.get">
+                                                            <i class="fa fa-trash"></i>
+                                                        </a>
+                                                    }
                                                 }
-                                              }
-                                            >
-                                                <i class="fa fa-trash"></i>
-                                            </a>
+                                            }
                                         </div>
                                       </td>
                                   </tr>
@@ -77,7 +101,7 @@ <h3 class="panel-title">@messages("channel.list.title")</h3>
                                           initChannelDelete('#channel-delete-@channel.id', '@channel.name', @channel.versions.size);
                                           initChannelManager(
                                                   "#channel-edit-@channel.id", "@channel.name", "@channel.color.hex",
-                                                  "Edit channel", "@projectRoutes.Channels.save(
+                                                  "Edit channel", "@channelRoutes.save(
                                                     project.ownerName, project.slug, channel.name)",
                                                   "post", "Save changes"
                                           );
@@ -86,7 +110,7 @@ <h3 class="panel-title">@messages("channel.list.title")</h3>
                                 }
                             </tbody>
                         </table>
-                        <a href="@projectRoutes.Versions.showList(project.ownerName, project.slug, None)"
+                        <a href="@versionRoutes.showList(project.ownerName, project.slug, None)"
                            class="pull-left btn btn-default">
                             <i class="fa fa-arrow-left"></i>
                         </a>
@@ -126,7 +150,10 @@ <h4 class="modal-title" id="label-delete">@messages("channel.delete")</h4>
                     <button type="button" class="btn btn-default" data-dismiss="modal">
                         @messages("channel.delete.close")
                     </button>
-                    <a href="#" type="button" class="btn btn-danger">@messages("channel.delete")</a>
+                    <form method="post" action="#" class="form-channel-delete">
+                        @CSRF.formField
+                        <button type="submit" class="btn btn-danger">@messages("channel.delete")</button>
+                    </form>
                 </div>
             </div>
         </div>
diff --git a/app/views/projects/channels/utils/modalManage.scala.html b/app/views/projects/channels/utils/modalManage.scala.html
index 99ac83ab0..e9f752666 100755
--- a/app/views/projects/channels/utils/modalManage.scala.html
+++ b/app/views/projects/channels/utils/modalManage.scala.html
@@ -1,6 +1,7 @@
 @import ore.OreConfig
 @import views.html.helper.form
-@()(implicit messages: Messages, config: OreConfig)
+@import views.html.helper.CSRF
+@()(implicit messages: Messages, config: OreConfig, request: Request[_])
 
 <div class="modal fade" id="channel-settings" tabindex="-1" role="dialog" aria-labelledBy="settings-label">
     <div class="modal-dialog" role="document">
@@ -12,6 +13,7 @@
                 <h4 class="modal-title"></h4>
             </div>
             @form(action = routes.Application.showHome(None, None, None, None, None)) {
+                @CSRF.formField
                 <div class="modal-body">
                     <div class="form-inline">
                         <label for="channel-input">@messages("channel.name")</label>
diff --git a/app/views/projects/create.scala.html b/app/views/projects/create.scala.html
index 089c1e195..e3c5e218c 100755
--- a/app/views/projects/create.scala.html
+++ b/app/views/projects/create.scala.html
@@ -10,6 +10,7 @@
 @import views.html.helper.form
 @import ore.project.Dependency
 @import ore.project.Dependency._
+@import views.html.helper.CSRF
 @(pending: Option[PendingProject])(implicit messages: Messages, flash: Flash, request: Request[_],
         service: ModelService, config: OreConfig, users: UserBase)
 
@@ -119,6 +120,7 @@
         <div class="create-buttons">
             @* File controls *@
             @form(action = projectRoutes.upload, 'enctype -> "multipart/form-data", 'id -> "form-upload") {
+                @CSRF.formField
                 <label class="btn btn-default pull-left" for="pluginFile">
                     <input id="pluginFile" name="pluginFile" type="file" style="display: none;">
                     <input id="pluginSig" name="pluginSig" type="file" style="display: none;">
@@ -131,7 +133,7 @@
                 @defining(pending.get.underlying) { project =>
                     @form(action = projectRoutes.showInvitationForm(project.ownerName, project.slug),
                         'id -> "continue", 'class -> "pull-right") {
-
+                        @CSRF.formField
                         <div class="btn-group">
                             <a href="@projectRoutes.showCreator" title="Back" class="pull-left btn btn-default">
                                 <i class="fa fa-arrow-left"></i>
diff --git a/app/views/projects/invite.scala.html b/app/views/projects/invite.scala.html
index db7b74766..a9426077e 100755
--- a/app/views/projects/invite.scala.html
+++ b/app/views/projects/invite.scala.html
@@ -10,6 +10,7 @@
 
 @import scala.collection.JavaConverters._
 @import scala.concurrent.TimeoutException
+@import views.html.helper.CSRF
 @(pending: PendingProject)(implicit messages: Messages, flash: Flash, request: Request[_], service: ModelService,
         forums: OreDiscourseApi, config: OreConfig, userBase: UserBase)
 
@@ -49,6 +50,8 @@
                 pending.underlying.slug),
                 'id -> "form-continue") {
 
+                @CSRF.formField
+
                 <div class="btn-group pull-right">
                     <a href="@projectRoutes.Projects.showCreatorWithMeta(
                         pending.underlying.ownerName,
diff --git a/app/views/projects/settings.scala.html b/app/views/projects/settings.scala.html
index 074dbbeb9..b4f1a7283 100755
--- a/app/views/projects/settings.scala.html
+++ b/app/views/projects/settings.scala.html
@@ -5,6 +5,7 @@
 @import ore.permission.HideProjects
 @import ore.permission.scope.GlobalScope
 @import views.html.helper.form
+@import views.html.helper.CSRF
 @(project: Project)(implicit messages: Messages, flash: Flash, request: Request[_], service: ModelService,
         config: OreConfig, userBase: UserBase)
 
@@ -70,6 +71,7 @@ <h4>Description</h4>
                         <!-- Project icon -->
                         <div class="setting">
                             <form id="form-icon" enctype="multipart/form-data">
+                                @CSRF.formField
                                 <div class="setting-description">
                                     <h4>Icon</h4>
 
@@ -133,6 +135,7 @@ <h4 class="danger">Delete</h4>
 
                         @form(action = projectRoutes.save(project.ownerName, project.slug), 'id -> "save",
                             'class -> "pull-right") {
+                            @CSRF.formField
                             <input type="hidden" id="update-icon" name="update-icon" value="false" />
                             <button type="submit" name="save" class="btn btn-success btn-spinner" data-icon="fa-check">
                                 <i class="fa fa-check"></i> Save changes
@@ -173,6 +176,7 @@ <h4 class="modal-title" id="label-rename">@messages("project.rename.title")</h4>
                 <div class="modal-footer">
                     <div class="form-inline">
                     @form(action = projectRoutes.rename(project.ownerName, project.slug), 'id -> "rename") {
+                        @CSRF.formField
                         <button type="button" class="btn btn-default" data-dismiss="modal">
                         @messages("channel.edit.close")
                         </button>
@@ -199,6 +203,7 @@ <h4 class="modal-title" id="label-delete">@messages("project.delete.title")</h4>
                 <div class="modal-footer">
                     <div class="form-inline">
                     @form(action = projectRoutes.delete(project.ownerName, project.slug)) {
+                        @CSRF.formField
                         <button type="button" class="btn btn-default" data-dismiss="modal">
                         @messages("channel.edit.close")
                         </button>
diff --git a/app/views/projects/versions/create.scala.html b/app/views/projects/versions/create.scala.html
index 8e63229da..3d0fe91fc 100755
--- a/app/views/projects/versions/create.scala.html
+++ b/app/views/projects/versions/create.scala.html
@@ -6,6 +6,7 @@
 @import ore.project.factory.PendingVersion
 @import util.StringUtils
 @import views.html.helper.form
+@import views.html.helper.CSRF
 @(project: Project, pending: Option[PendingVersion],
   channels: Option[Seq[Channel]], showFileControls: Boolean)(implicit messages: Messages, flash: Flash,
         request: Request[_], service: ModelService, config: OreConfig, users: UserBase)
@@ -141,6 +142,7 @@ <h3>@messages("version.releaseBulletin")</h3>
                         @if(showFileControls) {
                             @form(action = projectRoutes.Versions.upload(project.ownerName, project.slug),
                                 'enctype -> "multipart/form-data", 'id -> "form-upload") {
+                                @CSRF.formField
                                 <label class="btn btn-default pull-left" for="pluginFile">
                                     <input id="pluginFile" name="pluginFile" type="file" style="display: none;">
                                     <input id="pluginSig" name="pluginSig" type="file" style="display: none;">
@@ -157,6 +159,7 @@ <h3>@messages("version.releaseBulletin")</h3>
                                 @form(action = projectRoutes.Versions.publish(
                                     project.ownerName, project.slug, version.versionString),
                                     'id -> "form-publish", 'class -> "pull-right") {
+                                    @CSRF.formField
                                     @if(!showFileControls) {
                                         <input type="hidden" class="channel-input" name="channel-input"
                                                value="@pending.get.channelName" />
diff --git a/app/views/projects/versions/view.scala.html b/app/views/projects/versions/view.scala.html
index b736b86bf..ca6840482 100755
--- a/app/views/projects/versions/view.scala.html
+++ b/app/views/projects/versions/view.scala.html
@@ -1,4 +1,3 @@
-@import controllers.project.{routes => projectRoutes}
 @import db.ModelService
 @import db.impl.access.{ProjectBase, UserBase}
 @import models.project.{Channel, Project, Version}
@@ -7,8 +6,9 @@
 @import ore.permission.{EditVersions, ReviewProjects}
 @import ore.project.Dependency.SpongeApiId
 @import util.StringUtils._
-@import ore.project.Dependency
 @import ore.project.Dependency._
+@import views.html.helper.form
+@import views.html.helper.CSRF
 @(project: Project, channel: Channel, version: Version)(implicit messages: Messages, request: Request[_], flash: Flash,
         service: ModelService, config: OreConfig, users: UserBase, projectBase: ProjectBase)
 
@@ -18,6 +18,14 @@
 @canApprove = @{ hasUser && (user can ReviewProjects in GlobalScope) }
 @isRecommended = @{ project.recommendedVersion.equals(version) }
 
+@projectRoutes = @{
+    controllers.project.routes.Projects
+}
+
+@versionRoutes = @{
+    controllers.project.routes.Versions
+}
+
 @projects.view(project, "#versions", noButtons = true) {
 
     <div class="container">
@@ -63,37 +71,45 @@ <h1 class="pull-left">@version.versionString</h1>
                         <div class="btn-group">
 
                             @if(!isRecommended && canEdit) {
-                                <a class="btn btn-info"
-                                   href="@projectRoutes.Versions.setRecommended(
-                                       project.ownerName, project.slug, version.versionString)">
-                                    <i class="fa fa-diamond"></i> Set recommended
-                                </a>
+                                @form(action = versionRoutes.setRecommended(
+                                    project.ownerName, project.slug, version.versionString), 'class -> "form-inline") {
+                                    @CSRF.formField
+                                    <button type="submit" class="btn btn-info">
+                                        <i class="fa fa-diamond"></i> Set recommended
+                                    </button>
+                                }
                             }
 
                             @if(!version.isReviewed && canApprove) {
-                                <a class="btn btn-success"
-                                   href="@projectRoutes.Versions.approve(
-                                       project.ownerName, project.slug, version.name)">
-                                    <i class="fa fa-thumbs-up"></i> Approve
-                                </a>
+                                @form(action = versionRoutes.approve(
+                                    project.ownerName, project.slug, version.name), 'class -> "form-inline") {
+                                    @CSRF.formField
+                                    <button type="submit" class="btn btn-success">
+                                        <i class="fa fa-thumps-up"></i> Approve
+                                    </button>
+                                }
                             }
 
                             @if(canEdit) {
-                                <a class="btn btn-danger"
-                                   @if(project.versions.size == 1) {
-                                       disabled data-toggle="tooltip" data-placement="top"
-                                       title="@messages("version.delete.cannot-last")"
-                                   } else {
-                                       href="@projectRoutes.Versions.delete(
-                                           project.ownerName, project.slug, version.versionString)"
-                                   }
-                                >
-                                    <i class="fa fa-trash"></i> @messages("general.delete")
-                                </a>
+                                @if(project.versions.size == 1) {
+                                    <a class="btn btn-danger" disabled data-toggle="tooltip" data-placement="top"
+                                       title="@messages("version.delete.cannot-last")">
+                                        <i class="fa fa-trash"></i> @messages("general.delete")
+                                    </a>
+                                } else {
+                                    @form(action = versionRoutes.delete(
+                                        project.ownerName, project.slug, version.versionString),
+                                        'class -> "form-inline") {
+                                        @CSRF.formField
+                                        <button type="submit" class="btn btn-danger">
+                                            <i class="fa fa-trash"></i> @messages("general.delete")
+                                        </button>
+                                    }
+                                }
                             }
 
                             <a class="btn btn-primary"
-                               href="@projectRoutes.Versions.download(
+                               href="@versionRoutes.download(
                                    project.ownerName, project.slug, version.versionString)">
                                 <i class="fa fa-download"></i> @messages("general.download")
                             </a>
@@ -119,7 +135,7 @@ <h1 class="pull-left">@version.versionString</h1>
                     }
                     <div class="col-md-12">
                         @utils.editor(
-                            saveCall = projectRoutes.Versions.saveDescription(
+                            saveCall = versionRoutes.saveDescription(
                                 project.ownerName, project.slug, version.versionString
                             ),
                             enabled = canEdit,
@@ -163,7 +179,7 @@ <h3 class="panel-title">Dependencies</h3>
                                 <li class="list-group-item">
                                     @defining(depend.project) { project =>
                                         @if(project.isDefined) {
-                                            <a href="@projectRoutes.Projects.show(
+                                            <a href="@projectRoutes.show(
                                                 project.get.ownerName, project.get.slug)">
                                                 <strong>@project.get.name</strong>
                                             </a>
diff --git a/app/views/projects/view.scala.html b/app/views/projects/view.scala.html
index bc12e26ca..3b1ed137e 100755
--- a/app/views/projects/view.scala.html
+++ b/app/views/projects/view.scala.html
@@ -10,6 +10,7 @@
 @import ore.permission.EditSettings
 @import ore.project.FlagReasons
 @import views.html.helper.form
+@import views.html.helper.CSRF
 @(project: Project, active: String, noButtons: Boolean = false)(content: Html)(implicit messages: Messages,
         request: Request[_], flash: Flash, service: ModelService, config: OreConfig, users: UserBase)
 
@@ -162,6 +163,7 @@ <h4 class="modal-title" id="label-flag">Flag project</h4>
                                             </div>
                                             @form(action = projectRoutes.Projects.flag(
                                                 project.ownerName, project.slug)) {
+                                                @CSRF.formField
                                                 <div class="modal-body">
                                                     <ul class="list-group list-flags">
                                                     @for(i <- 0 until FlagReasons.values.size) {
diff --git a/app/views/users/memberList.scala.html b/app/views/users/memberList.scala.html
index fac747f24..83996b692 100755
--- a/app/views/users/memberList.scala.html
+++ b/app/views/users/memberList.scala.html
@@ -6,6 +6,7 @@
 @import ore.user.Member
 @import ore.{Joinable, OreConfig}
 @import views.html.helper.form
+@import views.html.helper.CSRF
 @(model: Joinable[_ <: Member[_]], editable: Boolean = false, removeCall: Call = null,
         settingsCall: Call = null, saveCall: Call = null)(implicit messages: Messages, service: ModelService,
         config: OreConfig, userBase: UserBase, request: Request[_])
@@ -64,6 +65,7 @@ <h4 class="modal-title" id="label-user-delete">@messages("project.removeMember")
                     <div class="modal-body">@messages("project.removeMember.confirm")</div>
                     <div class="modal-footer">
                         @form(action = removeCall, 'class -> "form-inline") {
+                            @CSRF.formField
                             <input type="hidden" name="username" />
                             <button type="button" class="btn btn-default" data-dismiss="modal">
                                 @messages("general.close")
@@ -91,6 +93,7 @@ <h3 class="pull-left panel-title">@messages("project.settings.members")</h3>
 
                     @if(saveCall != null) {
                         @form(action = saveCall, 'id -> "save") {
+                            @CSRF.formField
                             <button class="btn-members-save btn btn-default btn-panel btn-xs" data-toggle="tooltip"
                                     data-placement="top" data-title="Send updates" style="display: none;">
                                 <i class="fa fa-paper-plane"></i>
diff --git a/app/views/users/view.scala.html b/app/views/users/view.scala.html
index eb1d6c8d5..d20e7f29c 100755
--- a/app/views/users/view.scala.html
+++ b/app/views/users/view.scala.html
@@ -7,6 +7,7 @@
 @import ore.user.Prompts
 @import util.StringUtils._
 @import views.html.helper.form
+@import views.html.helper.CSRF
 @(user: User)(content: Html)(implicit messages: Messages, flash: Flash, request: Request[_], service: ModelService,
         config: OreConfig, users: UserBase)
 
@@ -18,6 +19,14 @@
     user.pgpPubKey.map(key => "pgp-delete").getOrElse("")
 }
 
+@pgpFormCall = @{
+    user.pgpPubKey.map { key =>
+        routes.Users.verify(Some(routes.Users.deletePgpPublicKey(user.name, None, None).path()))
+    } getOrElse {
+        routes.Users.savePgpPublicKey(user.name)
+    }
+}
+
 @lockIcon = @{
     if (user.isLocked) "fa-lock" else "fa-unlock-alt"
 }
@@ -166,9 +175,8 @@ <h4 class="modal-title">
                     </h4>
                 </div>
 
-                @form(action = routes.Users.savePgpPublicKey(user.username),
-                    'id -> "form-pgp",
-                    'class -> pgpFormClass) {
+                @form(action = pgpFormCall, 'id -> "form-pgp", 'class -> pgpFormClass) {
+                    @CSRF.formField
                     <div class="modal-body">
                         <div class="alert alert-danger" style="display: none;">
                             <span class="error"></span>
@@ -250,20 +258,21 @@ <h4>@messages("user.pgp.pubKey")</h4>
 
         <div class="modal-footer">
             <button type="button" class="btn btn-default" data-dismiss="modal">@messages("general.close")</button>
-            <a href="@routes.Users.verify(Some(routes.Users.setLocked(
+            @form(action = routes.Users.verify(Some(routes.Users.setLocked(
                 user = user.username,
                 locked = !user.isLocked,
                 sso = None,
                 sig = None
-            ).path()))"
-               type="submit" class="btn btn-primary">
-                @messages("general.continue")
-            </a>
+            ).path())), 'class -> "form-inline") {
+                @CSRF.formField
+                <button type="submit" class="btn btn-primary">@messages("general.continue")</button>
+            }
         </div>
     }
 
     @utils.modal("modal-tagline", "label-tagline", "user.tagline.edit") {
         @form(action = routes.Users.saveTagline(user.username)) {
+            @CSRF.formField
             <div class="modal-body">
                 <div class="setting setting-no-border">
                     <div class="setting-description">
@@ -287,6 +296,7 @@ <h4>@messages("user.tagline")</h4>
     @utils.modal("modal-avatar", "label-avatar", "user.editAvatar") {
         @form(action = routes.Organizations.updateAvatar(user.name), 'id -> "form-avatar",
             'enctype -> "multipart/form-data") {
+            @CSRF.formField
             <div class="modal-body">
                 <div class="alert alert-danger">
                     <span class="error"></span>
diff --git a/app/views/utils/editor.scala.html b/app/views/utils/editor.scala.html
index c019ddb64..279acfc72 100644
--- a/app/views/utils/editor.scala.html
+++ b/app/views/utils/editor.scala.html
@@ -1,4 +1,5 @@
 @import views.html.helper.form
+@import views.html.helper.CSRF
 @(saveCall: Call = null,
   deleteCall: Call = null,
   savable: Boolean = true,
@@ -8,7 +9,7 @@
   cooked: Html = Html(""),
   subject: String = null,
   cancellable: Boolean = true,
-  targetForm: String = null)(implicit messages: Messages)
+  targetForm: String = null)(implicit messages: Messages, request: Request[_])
 
 @if(enabled) {
     <!-- Edit -->
@@ -65,8 +66,10 @@ <h4 class="modal-title" id="label-page-delete">Delete @subject.toLowerCase</h4>
                     </div>
                     <div class="modal-footer">
                         <button type="button" class="btn btn-default" data-dismiss="modal">Close</button>
-                        <a href="@deleteCall"
-                        type="button" class="btn btn-danger">Delete</a>
+                        @form(action = deleteCall) {
+                            @CSRF.formField
+                            <button type="submit" class="btn btn-danger">Delete</button>
+                        }
                     </div>
                 </div>
             </div>
@@ -87,6 +90,7 @@ <h4 class="modal-title" id="label-page-delete">Delete @subject.toLowerCase</h4>
 
     @if(savable) {
         @form(action = saveCall, 'id -> "form-editor-save") {
+            @CSRF.formField
         }
     }
 
diff --git a/build.sbt b/build.sbt
index ae808e16c..427b29208 100755
--- a/build.sbt
+++ b/build.sbt
@@ -6,7 +6,7 @@ lazy val `ore` = (project in file(".")).enablePlugins(PlayScala)
 
 scalaVersion := "2.11.7"
 
-libraryDependencies ++= Seq(cache, ws, specs2 % Test)
+libraryDependencies ++= Seq(cache, ws, filters, specs2 % Test)
 
 unmanagedResourceDirectories in Test <+=  baseDirectory (_ /"target/web/public/test")
 
diff --git a/conf/routes b/conf/routes
index 497a623aa..8087c9f72 100755
--- a/conf/routes
+++ b/conf/routes
@@ -4,9 +4,9 @@
 
 GET     /*path/                                                     @controllers.Application.removeTrail(path)
 
-GET     /admin/reset                                                @controllers.Application.reset()
-GET     /admin/seed                                                 @controllers.Application.seed(users: Int ?= 200, projects: Int ?= 1, versions: Int ?= 2, channels: Int ?= 2)
-GET     /admin/migrate                                              @controllers.Application.migrate()
+#GET     /admin/reset                                                @controllers.Application.reset()
+#GET     /admin/seed                                                 @controllers.Application.seed(users: Int ?= 200, projects: Int ?= 1, versions: Int ?= 2, channels: Int ?= 2)
+#GET     /admin/migrate                                              @controllers.Application.migrate()
 GET     /admin/queue                                                @controllers.Application.showQueue()
 GET     /admin/flags                                                @controllers.Application.showFlags()
 GET     /admin/flags/:id/resolve/:resolved                          @controllers.Application.setFlagResolved(id: Int, resolved: Boolean)
@@ -56,7 +56,7 @@ POST    /new/upload                                                 @controllers
 GET     /new/:author/:slug                                          @controllers.project.Projects.showCreatorWithMeta(author, slug)
 POST    /new/:author/:slug/members                                  @controllers.project.Projects.showInvitationForm(author, slug)
 
-GET     /invite/:id/:status                                         @controllers.project.Projects.setInviteStatus(id: Int, status)
+POST    /invite/:id/:status                                         @controllers.project.Projects.setInviteStatus(id: Int, status)
 
 POST    /pages/preview                                              @controllers.project.Pages.showPreview()
 
@@ -65,7 +65,7 @@ POST    /pages/preview                                              @controllers
 GET     /organizations/new                                          @controllers.Organizations.showCreator()
 POST    /organizations/new                                          @controllers.Organizations.create()
 
-GET     /organizations/invite/:id/:status                           @controllers.Organizations.setInviteStatus(id: Int, status)
+POST    /organizations/invite/:id/:status                           @controllers.Organizations.setInviteStatus(id: Int, status)
 
 POST    /organizations/:organization/settings/avatar                @controllers.Organizations.updateAvatar(organization)
 POST    /organizations/:organization/settings/members               @controllers.Organizations.updateMembers(organization)
@@ -75,23 +75,23 @@ POST    /organizations/:organization/settings/members/remove        @controllers
 GET     /authors                                                    @controllers.Users.showAuthors(sort: Option[String], page: Option[Int])
 
 GET     /notifications                                              @controllers.Users.showNotifications(notificationFilter: Option[String], inviteFilter: Option[String])
-GET     /notifications/read/:id                                     @controllers.Users.markNotificationRead(id: Int)
+POST    /notifications/read/:id                                     @controllers.Users.markNotificationRead(id: Int)
 
-GET     /prompts/read/:id                                           @controllers.Users.markPromptRead(id: Int)
+POST    /prompts/read/:id                                           @controllers.Users.markPromptRead(id: Int)
 
 GET     /:user                                                      @controllers.Users.showProjects(user, page: Option[Int])
 POST    /:user/settings/tagline                                     @controllers.Users.saveTagline(user)
-GET     /:user/settings/lock/:locked                                @controllers.Users.setLocked(user, locked: Boolean, sso: Option[String], sig: Option[String])
+POST    /:user/settings/lock/:locked                                @controllers.Users.setLocked(user, locked: Boolean, sso: Option[String], sig: Option[String])
 POST    /:user/settings/pgp                                         @controllers.Users.savePgpPublicKey(user)
-GET     /:user/settings/pgp/delete                                  @controllers.Users.deletePgpPublicKey(user, sso: Option[String], sig: Option[String])
+POST    /:user/settings/pgp/delete                                  @controllers.Users.deletePgpPublicKey(user, sso: Option[String], sig: Option[String])
 # -------- End Users --------
 
 POST    /:author/:slug                                              @controllers.project.Projects.showFirstVersionCreator(author, slug)
 GET     /:author/:slug                                              @controllers.project.Projects.show(author, slug)
-GET     /:author/:slug/star/:starred                                @controllers.project.Projects.setStarred(author, slug, starred: Boolean)
+POST    /:author/:slug/star/:starred                                @controllers.project.Projects.setStarred(author, slug, starred: Boolean)
 POST    /:author/:slug/flag                                         @controllers.project.Projects.flag(author, slug)
-GET     /:author/:slug/visible/:visible                             @controllers.project.Projects.setVisible(author, slug, visible: Boolean)
-GET     /:author/:slug/watch/:watching                              @controllers.project.Projects.setWatching(author, slug, watching: Boolean)
+POST    /:author/:slug/visible/:visible                             @controllers.project.Projects.setVisible(author, slug, visible: Boolean)
+POST    /:author/:slug/watch/:watching                              @controllers.project.Projects.setWatching(author, slug, watching: Boolean)
 
 GET     /:author/:slug/discuss                                      @controllers.project.Projects.showDiscussion(author, slug)
 POST    /:author/:slug/discuss/reply                                @controllers.project.Projects.postDiscussionReply(author, slug)
@@ -116,7 +116,7 @@ GET     /:author/:slug/icon/pending                                 @controllers
 
 GET     /:author/:slug/pages/:page/edit                             @controllers.project.Pages.showEditor(author, slug, page)
 POST    /:author/:slug/pages/:page/edit                             @controllers.project.Pages.save(author, slug, page)
-GET     /:author/:slug/pages/:page/delete                           @controllers.project.Pages.delete(author, slug, page)
+POST    /:author/:slug/pages/:page/delete                           @controllers.project.Pages.delete(author, slug, page)
 GET     /:author/:slug/pages/:page                                  @controllers.project.Pages.show(author, slug, page)
 
 
@@ -125,15 +125,15 @@ GET     /:author/:slug/pages/:page                                  @controllers
 GET     /:author/:slug/channels                                     @controllers.project.Channels.showList(author, slug)
 POST    /:author/:slug/channels                                     @controllers.project.Channels.create(author, slug)
 POST    /:author/:slug/channels/:channel                            @controllers.project.Channels.save(author, slug, channel)
-GET     /:author/:slug/channels/:channel/delete                     @controllers.project.Channels.delete(author, slug, channel)
+POST    /:author/:slug/channels/:channel/delete                     @controllers.project.Channels.delete(author, slug, channel)
 
 
 # ---------- Versions ----------
 
 GET     /:author/:slug/versions                                     @controllers.project.Versions.showList(author, slug, channels: Option[String])
 
-GET     /:author/:slug/versions/:version/approve                    @controllers.project.Versions.approve(author, slug, version)
-GET     /:author/:slug/versions/:version/delete                     @controllers.project.Versions.delete(author, slug, version)
+POST    /:author/:slug/versions/:version/approve                    @controllers.project.Versions.approve(author, slug, version)
+POST    /:author/:slug/versions/:version/delete                     @controllers.project.Versions.delete(author, slug, version)
 
 GET     /:author/:slug/versions/recommended/download                @controllers.project.Versions.downloadRecommended(author, slug)
 GET     /:author/:slug/versions/recommended/signature               @controllers.project.Versions.downloadRecommendedSignature(author, slug)
@@ -150,7 +150,7 @@ GET     /:author/:slug/versions/new/:version                        @controllers
 POST    /:author/:slug/versions/:version                            @controllers.project.Versions.publish(author, slug, version)
 GET     /:author/:slug/versions/:version                            @controllers.project.Versions.show(author, slug, version)
 POST    /:author/:slug/versions/:version/save                       @controllers.project.Versions.saveDescription(author, slug, version)
-GET     /:author/:slug/versions/:version/recommended                @controllers.project.Versions.setRecommended(author, slug, version)
+POST    /:author/:slug/versions/:version/recommended                @controllers.project.Versions.setRecommended(author, slug, version)
 
 
 # ---------- Other ----------
diff --git a/public/javascripts/channelManage.js b/public/javascripts/channelManage.js
index bf3eb63b3..012e0863a 100644
--- a/public/javascripts/channelManage.js
+++ b/public/javascripts/channelManage.js
@@ -51,9 +51,16 @@ function initChannelDelete(toggle, channelName, versionCount) {
     $(toggle).click(function() {
         var url = '/' + PROJECT_OWNER + '/' + PROJECT_SLUG + '/channels/' + channelName + '/delete';
         var modal = $('#modal-delete');
-        modal.find('.modal-footer').find('a').attr('href', url);
+        modal.find('.modal-footer').find('form').attr('action', url);
         modal.find('.version-count').text(versionCount);
     });
+    $('.safe-delete').click(function(e) {
+        console.log('clicked');
+        e.preventDefault();
+        var id = $(this).data('channel-id');
+        console.log(id);
+        $('#form-delete-' + id)[0].submit();
+    });
 }
 
 var onCustomSubmit = function(toggle, channelName, channelHex, title, submit) {
diff --git a/public/javascripts/hideProject.js b/public/javascripts/hideProject.js
index 5a633b24a..26f1fab05 100644
--- a/public/javascripts/hideProject.js
+++ b/public/javascripts/hideProject.js
@@ -33,6 +33,7 @@ $(function() {
         var project = $(this).data('project');
         var spinner = icon.removeClass(iconClass).addClass('fa-spinner fa-spin');
         $.ajax({
+            type: 'post',
             url: '/' + project + '/visible/' + !visible,
             fail: function () {
                 spinner.addClass(iconClass).removeClass('fa-spinner fa-spin');
diff --git a/public/javascripts/main.js b/public/javascripts/main.js
index 9ed386959..bac222f49 100755
--- a/public/javascripts/main.js
+++ b/public/javascripts/main.js
@@ -27,6 +27,7 @@ var KEY_MINUS = 173;
 
 var CATEGORY_STRING = null;
 var SORT_STRING = null;
+var csrf = null;
 
 /*
  * ==================================================
diff --git a/public/javascripts/notifications.js b/public/javascripts/notifications.js
index f0a3ac443..e701e6f85 100644
--- a/public/javascripts/notifications.js
+++ b/public/javascripts/notifications.js
@@ -25,6 +25,7 @@ function markRead(notification) {
     var btn = notification.find('.btn-mark-read');
     btn.removeClass('btn-mark-read fa-check').addClass('fa-spinner fa-spin');
     $.ajax({
+        type: 'post',
         url: '/notifications/read/' + notification.data('id'),
         complete: function() {
             btn.removeClass('fa-spinner fa-spin').addClass('btn-mark-read fa-check');
@@ -43,6 +44,7 @@ function replyToInvite(invite, reply, success, error) {
     var url = invite.data('type') === 'project' ? '' : 'organizations';
     url += '/invite/' + invite.data('id') + '/' + reply;
     $.ajax({
+        type: 'post',
         url: url,
         success: success,
         error: error
diff --git a/public/javascripts/projectDetail.js b/public/javascripts/projectDetail.js
index 1be361f75..ce54b1b4c 100644
--- a/public/javascripts/projectDetail.js
+++ b/public/javascripts/projectDetail.js
@@ -235,7 +235,11 @@ $(function() {
             $(this).addClass('watching');
         }
 
-        $.ajax(decodeHtml('/' + projectOwner + '/' + projectSlug) + '/watch/' + !watching);
+        $.ajax({
+            type: 'post',
+            url: decodeHtml('/' + projectOwner + '/' + projectSlug) + '/watch/' + !watching,
+            data: { csrfToken: csrf }
+        });
     });
 
     // setup star button
@@ -243,7 +247,11 @@ $(function() {
     $('.btn-star').click(function() {
         var starred = $(this).find('.starred');
         starred.html(' ' + (parseInt(starred.text()) + increment).toString());
-        $.ajax(decodeHtml('/' + projectOwner + '/' + projectSlug) + '/star/' + (increment > 0));
+        $.ajax({
+            type: 'post',
+            url: decodeHtml('/' + projectOwner + '/' + projectSlug) + '/star/' + (increment > 0),
+            data: { csrfToken: csrf }
+        });
 
         var icon = $('#icon-star');
         if (increment > 0) {
diff --git a/public/javascripts/queue.js b/public/javascripts/queue.js
index dc9c54232..d314576f9 100644
--- a/public/javascripts/queue.js
+++ b/public/javascripts/queue.js
@@ -27,6 +27,7 @@ $(function() {
         var versionPath = listItem.data('version');
         var icon = $(this).find('i').removeClass('fa-thumbs-up').addClass('fa-spinner fa-spin');
         $.ajax({
+            type: 'post',
             url: '/' + versionPath + '/approve',
             complete: function() { icon.removeClass('fa-spinner fa-spin').addClass('fa-thumbs-up'); },
             success: function() {
diff --git a/public/javascripts/userPage.js b/public/javascripts/userPage.js
index 8ca962565..cc2b9001f 100644
--- a/public/javascripts/userPage.js
+++ b/public/javascripts/userPage.js
@@ -133,7 +133,11 @@ function setupAvatarForm() {
 
     $('.btn-got-it').click(function() {
         var prompt = $(this).closest('.prompt');
-        $.ajax('prompts/read/' + prompt.data('prompt-id'));
+        $.ajax({
+            type: 'post',
+            url: 'prompts/read/' + prompt.data('prompt-id'),
+            data: { csrfToken: csrf }
+        });
         prompt.fadeOut('fast');
     });
 
@@ -165,12 +169,6 @@ function setupAvatarForm() {
                 .prop('src', json['avatarTemplate'].replace('{size}', '200'));
         }
     });
-
-    var pgpDeleteForm = $('.pgp-delete');
-    pgpDeleteForm.submit(function(e) {
-        e.preventDefault();
-        window.location = "/verify?returnPath=/" + USERNAME + "/settings/pgp/delete";
-    });
 }
 
 /*