diff --git a/handlers/chat.go b/handlers/chat.go
index 01b6609..3249df6 100644
--- a/handlers/chat.go
+++ b/handlers/chat.go
@@ -147,6 +147,11 @@ func ChatHandler(app *App) http.HandlerFunc {
 		currentUsername := currentUser.Username
 
 		if r.URL.Query().Get("ws") == "true" {
+			if !app.validateCSRFToken(r, session) {
+				http.Error(w, "Invalid CSRF token", http.StatusForbidden)
+				return
+			}
+
 			ws, err := upgrader.Upgrade(w, r, nil)
 			if err != nil {
 				log.Printf("Error upgrading to WebSocket: %v", err)
@@ -240,6 +245,7 @@ func ChatHandler(app *App) http.HandlerFunc {
 				CurrentURL:       r.URL.RequestURI(),
 				ContentTemplate:  "chat-content",
 				BodyClass:        "chat-page",
+				CSRFToken:        app.csrfToken(session),
 			},
 			Board:           *board,
 			Messages:        messages,
diff --git a/static/chat.js b/static/chat.js
index 7bdba72..1387049 100644
--- a/static/chat.js
+++ b/static/chat.js
@@ -9,6 +9,7 @@
     const boardId = chatContainer.dataset.boardId;
     const basePath = chatContainer.dataset.basePath || '';
     const currentUsername = chatContainer.dataset.currentUsername || '';
+    const csrfToken = chatContainer.dataset.csrfToken || '';
     const usernamesScript = document.getElementById('chat-usernames');
     let allUsernames = [];
     if (usernamesScript) {
@@ -54,7 +55,9 @@
         }
         updateConnectionStatus('connecting');
 
-        ws = new WebSocket('ws://' + window.location.host + basePath + '/chat/?ws=true&id=' + boardId);
+        const protocol = window.location.protocol === 'https:' ? 'wss://' : 'ws://';
+        const query = new URLSearchParams({ ws: 'true', id: boardId, csrf_token: csrfToken });
+        ws = new WebSocket(protocol + window.location.host + basePath + '/chat/?' + query.toString());
 
         ws.onopen = function() {
             updateConnectionStatus('connected');
diff --git a/templates/pages/chat.html b/templates/pages/chat.html
index ebbd606..73d6207 100644
--- a/templates/pages/chat.html
+++ b/templates/pages/chat.html
@@ -12,10 +12,10 @@
     <script src="{{.StaticPath}}/app.js" defer></script>
     <script src="{{.StaticPath}}/chat.js" defer></script>
 </head>
-<body class="chat-page">
+<body class="chat-page" data-csrf-token="{{.CSRFToken}}">
     {{template "navbar" .}}
     <main>
-        <div class="chat-container" data-board-id="{{.Board.ID}}" data-base-path="{{.BasePath}}" data-current-username="{{.CurrentUsername}}">
+        <div class="chat-container" data-board-id="{{.Board.ID}}" data-base-path="{{.BasePath}}" data-current-username="{{.CurrentUsername}}" data-csrf-token="{{.CSRFToken}}">
             <div class="chat-breadcrumb">
                 <a href="{{.BasePath}}/">Home</a>
                 <span class="chat-breadcrumb-separator">›</span>