diff --git a/handlers/like.go b/handlers/like.go
index 728fed8..a561292 100644
--- a/handlers/like.go
+++ b/handlers/like.go
@@ -23,6 +23,10 @@ func LikeHandler(app *App) http.HandlerFunc {
 			http.Error(w, "Unauthorized", http.StatusUnauthorized)
 			return
 		}
+		if !app.validateCSRFToken(r, session) {
+			http.Error(w, "Invalid CSRF token", http.StatusForbidden)
+			return
+		}
 
 		postIDStr := r.FormValue("post_id")
 		postID, err := strconv.Atoi(postIDStr)
diff --git a/static/likes.js b/static/likes.js
index 9331c2c..3430aa3 100644
--- a/static/likes.js
+++ b/static/likes.js
@@ -5,6 +5,7 @@ function initLikeButtons() {
             var postId = btn.getAttribute('data-post-id');
             var type = btn.getAttribute('data-type');
             var basePath = btn.getAttribute('data-base-path');
+            var csrfToken = document.body ? document.body.getAttribute('data-csrf-token') : '';
 
             btn.disabled = true;
 
@@ -14,7 +15,10 @@ function initLikeButtons() {
 
             fetch(basePath + '/like/', {
                 method: 'POST',
-                headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+                headers: {
+                    'Content-Type': 'application/x-www-form-urlencoded',
+                    'X-CSRF-Token': csrfToken
+                },
                 body: body.toString()
             })
             .then(function(res) { return res.json(); })
diff --git a/templates/pages/thread.html b/templates/pages/thread.html
index 773149c..bf99658 100644
--- a/templates/pages/thread.html
+++ b/templates/pages/thread.html
@@ -7,7 +7,7 @@
     <script src="{{.StaticPath}}/likes.js" defer></script>
     <script src="{{.StaticPath}}/app.js" defer></script>
 </head>
-<body>
+<body data-csrf-token="{{.CSRFToken}}">
     {{template "navbar" .}}
     <main>
         <div class="breadcrumb">