diff --git a/plugins/box/backup/backup.admin.php b/plugins/box/backup/backup.admin.php
old mode 100644
new mode 100755
index c33653e..9c37cc4
--- a/plugins/box/backup/backup.admin.php
+++ b/plugins/box/backup/backup.admin.php
@@ -16,37 +16,46 @@
             // Create backup
             // -------------------------------------    
             if (Request::post('create_backup')) {
+
+                if (Security::check(Request::post('csrf'))) {
                 
-                @set_time_limit(0);
-                @ini_set("memory_limit", "512M");
+                    @set_time_limit(0);
+                    @ini_set("memory_limit", "512M");
 
-                $zip = Zip::factory();
+                    $zip = Zip::factory();
 
-                // Add storage folder
-                $zip->readDir(STORAGE . DS, false); 
+                    // Add storage folder
+                    $zip->readDir(STORAGE . DS, false); 
 
-                // Add public folder 
-                if (Request::post('add_public_folder')) $zip->readDir(ROOT . DS . 'public' . DS, false);
-                
-                // Add plugins folder
-                if (Request::post('add_plugins_folder')) $zip->readDir(PLUGINS . DS, false);
+                    // Add public folder 
+                    if (Request::post('add_public_folder')) $zip->readDir(ROOT . DS . 'public' . DS, false);
+                    
+                    // Add plugins folder
+                    if (Request::post('add_plugins_folder')) $zip->readDir(PLUGINS . DS, false);
 
-                $zip->archive($backups_path . DS . Date::format(time(), "Y-m-d-H-i-s").'.zip');
+                    $zip->archive($backups_path . DS . Date::format(time(), "Y-m-d-H-i-s").'.zip');
+
+                } else { die('csrf detected!'); }
             }
             
             // Delete backup
             // -------------------------------------    
-            if (Request::get('sub_id') == 'backup') {
-                if (Request::get('delete_file')) {
+            if (Request::get('sub_id') == 'backup' && Request::get('delete_file')) {                
+                
+                if (Security::check(Request::get('token'))) {
+
                     File::delete($backups_path . DS . Request::get('delete_file'));
-                    Request::redirect(Option::get('siteurl').'admin/index.php?id=backup');
-                }
+                    Request::redirect(Option::get('siteurl').'admin/index.php?id=backup');                
+
+                } else { die('csrf detected!'); }
             }
 
             // Download backup
             // -------------------------------------    
-            if (Request::get('download')) {                                
-                File::download($backups_path . DS . Request::get('download'));                
+            if (Request::get('download')) {    
+                if (Security::check(Request::get('token'))) {                            
+                    File::download($backups_path . DS . Request::get('download'));                
+                } else { die('csrf detected!'); }
             }
 
             // Get backup list
diff --git a/plugins/box/backup/views/backend/index.view.php b/plugins/box/backup/views/backend/index.view.php
old mode 100644
new mode 100755
index 99cbd53..c73668b
--- a/plugins/box/backup/views/backend/index.view.php
+++ b/plugins/box/backup/views/backend/index.view.php
@@ -10,6 +10,7 @@ $().ready(function(){$('[name=create_backup]').click(function(){$(this).button('
 <?php
     echo (
         Form::open() .
+        Form::hidden('csrf', Security::token()).
         Form::checkbox('add_storage_folder', null, true, array('disabled' => 'disabled')) . ' ' . __('storage', 'backup') . ' ' . Html::nbsp(2) .
         Form::checkbox('add_public_folder') . ' ' . __('public', 'backup') . ' ' . Html::nbsp(2) .
         Form::checkbox('add_plugins_folder') . ' ' . __('plugins', 'backup') . ' ' . Html::nbsp(2) .         
@@ -32,12 +33,12 @@ $().ready(function(){$('[name=create_backup]').click(function(){$(this).button('
     <tr>
         <td>
             <?php $name = strtotime(str_replace('-', '', basename($backup, '.zip'))); ?>
-            <?php echo Html::anchor(Date::format($name, 'F jS, Y - g:i A'), Option::get('siteurl').'admin/index.php?id=backup&download='.$backup); ?>
+            <?php echo Html::anchor(Date::format($name, 'F jS, Y - g:i A'), Option::get('siteurl').'admin/index.php?id=backup&download='.$backup.'&token='.Security::token()); ?>
     	</td>
         <td><?php echo Number::byteFormat(filesize(ROOT . DS . 'backups' . DS . $backup)); ?></td>
     	<td>
             <?php echo Html::anchor(__('Delete', 'backup'),
-                      'index.php?id=system&sub_id=backup&delete_file='.$backup,
+                      'index.php?id=system&sub_id=backup&delete_file='.$backup.'&token='.Security::token(),
                        array('class' => 'btn btn-actions', 'onclick' => "return confirmDelete('".__('Delete backup: :backup', 'backup', array(':backup' => Date::format($name, 'F jS, Y - g:i A')))."')"));
              ?>
     	</td>