diff --git a/scripts/ZoneMinder/lib/ZoneMinder/ConfigData.pm.in b/scripts/ZoneMinder/lib/ZoneMinder/ConfigData.pm.in
index 3f80748db..607152542 100644
--- a/scripts/ZoneMinder/lib/ZoneMinder/ConfigData.pm.in
+++ b/scripts/ZoneMinder/lib/ZoneMinder/ConfigData.pm.in
@@ -345,6 +345,26 @@ our @options = (
     type        => $types{boolean},
     category    => "system",
   },
+  {
+    name        => "ZM_ENABLE_CSRF_MAGIC",
+    default     => "no",
+    description => "Enable csrf-magic library",
+    help        => qqq("
+      CSRF stands for Cross-Site Request Forgery which, under specific
+      circumstances, can allow an attacker to perform any task your
+      ZoneMinder user account has permission to perform. To accomplish
+      this, the attacker must write a very specific web page and get
+      you to navigate to it, while you are logged into the ZoneMinder
+      web console at the same time. Enabling ZM_ENABLE_CSRF_MAGIC will
+      help mitigate these kinds of attackes. Be warned this feature
+      is experimental and may cause problems, particularly with the API.
+      If you find a false positive and can document how to reproduce it,
+      then please report it. This feature defaults to OFF currently due to
+      its experimental nature.
+    "),
+    type        => $types{boolean},
+    category    => "system",
+  },
   {
     name        => "ZM_OPT_USE_API",
     default     => "yes",
diff --git a/web/includes/csrf/csrf-magic.php b/web/includes/csrf/csrf-magic.php
index 65db19f3d..153417f4e 100644
--- a/web/includes/csrf/csrf-magic.php
+++ b/web/includes/csrf/csrf-magic.php
@@ -23,7 +23,7 @@
  * a boolean false if the CSRF check failed. This allows for tighter integration
  * with your system.
  */
-$GLOBALS['csrf']['defer'] = false;
+$GLOBALS['csrf']['defer'] = true;
 
 /**
  * This is the amount of seconds you wish to allow before any token becomes
diff --git a/web/index.php b/web/index.php
index adbec5ee4..04e018d3c 100644
--- a/web/index.php
+++ b/web/index.php
@@ -170,6 +170,11 @@ if ( isset($_REQUEST['action']) )
 foreach ( getSkinIncludes( 'skin.php' ) as $includeFile )
     require_once $includeFile;
 
+if ( ZM_ENABLE_CSRF_MAGIC && $action != 'login' ) {
+    Debug("Calling csrf_check with the following values: \$request = \"$request\", \$view = \"$view\", \$action = \"$action\"");
+    csrf_check();
+}
+
 require_once( 'includes/actions.php' );
 
 # If I put this here, it protects all views and popups, but it has to go after actions.php because actions.php does the actual logging in.