diff --git a/handlers/profile_edit.go b/handlers/profile_edit.go
index 4b0a43a..28e4a2a 100644
--- a/handlers/profile_edit.go
+++ b/handlers/profile_edit.go
@@ -23,6 +23,11 @@ func ProfileEditHandler(app *App) http.HandlerFunc {
 		}
 
 		if r.Method == http.MethodPost {
+			if !app.validateCSRFToken(r, session) {
+				http.Error(w, "Invalid CSRF token", http.StatusForbidden)
+				return
+			}
+
 			// Handle file upload
 			file, handler, err := r.FormFile("pfp")
 			if err == nil {
@@ -118,6 +123,7 @@ func ProfileEditHandler(app *App) http.HandlerFunc {
 				BasePath:         app.Config.ThreadrDir,
 				StaticPath:       app.Config.ThreadrDir + "/static",
 				CurrentURL:       r.URL.RequestURI(),
+				CSRFToken:        app.csrfToken(session),
 			},
 			User: *user,
 		}
diff --git a/templates/pages/profile_edit.html b/templates/pages/profile_edit.html
index 160df6e..2d0a219 100644
--- a/templates/pages/profile_edit.html
+++ b/templates/pages/profile_edit.html
@@ -14,6 +14,7 @@
         </header>
         <section>
             <form method="post" action="{{.BasePath}}/profile/edit/" enctype="multipart/form-data">
+                <input type="hidden" name="csrf_token" value="{{.CSRFToken}}">
                 <label for="display_name">Display Name:</label>
                 <input type="text" id="display_name" name="display_name" value="{{.User.DisplayName}}" maxlength="255"><br>
                 <label for="pfp">Profile Picture:</label>