diff --git a/app.rb b/app.rb
index 3ed73b75..a596a913 100644
--- a/app.rb
+++ b/app.rb
@@ -252,7 +252,7 @@ def require_login_ajax
 end
 
 def csrf_safe?
-  csrf_token == params[:csrf_token]
+  csrf_token == params[:csrf_token] || csrf_token == request.env['HTTP_X_CSRF_TOKEN']
 end
 
 def csrf_token
diff --git a/views/layout.slim b/views/layout.slim
index 7149126d..5c33cdb2 100644
--- a/views/layout.slim
+++ b/views/layout.slim
@@ -9,6 +9,7 @@ html
     link href="/css/styles.css" rel="stylesheet"
     meta property="og:title" content="NeoCities"
     meta property="og:description" content="NeoCities is the new Geocities. Create your own free home page, and do whatever you want with it."
+    meta name="csrf-token" content="#{csrf_token}"
     script src="/js/jquery.min.js"
 
   body
@@ -40,6 +41,16 @@ html
 
   script src="/js/bootstrap.min.js"
 
+  javascript:
+    !function(){
+      var csrf_token = $('meta[name="csrf-token"]').attr('content');
+
+      $(document).ajaxSend(function(ev, jqxhr){
+        jqxhr.setRequestHeader('X-CSRF-Token', csrf_token);
+      });
+    }();
+
+
   javascript:
     (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
     (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
@@ -47,4 +58,4 @@ html
     })(window,document,'script','//www.google-analytics.com/analytics.js','ga');
 
     ga('create', 'UA-41925541-1', 'neocities.org');
-    ga('send', 'pageview');
\ No newline at end of file
+    ga('send', 'pageview');