diff --git a/packages/middleware/lib/log-account-handler.ts b/packages/middleware/lib/log-account-handler.ts
index 601b1854d846f4e0c50e3761beff0be899311c62..eef113bbbaf5b04d6cd8323213208defdb66230e 100644
--- a/packages/middleware/lib/log-account-handler.ts
+++ b/packages/middleware/lib/log-account-handler.ts
@@ -9,12 +9,15 @@ import {
     logLoginEvent
 } from './auth-proof-cookie';
 import { getClientIp } from './common-utils';
+import { checkCsrfHeader } from '@smart-signer/lib/csrf-protection';
 
 export async function handleLogAccount(req: NextApiRequest, res: NextApiResponse) {
     if (req.method !== 'POST') {
         return res.status(405).json({ error: 'Method not allowed' });
     }
 
+    checkCsrfHeader(req);
+
     const { type, username, authProof } = req.body;
     const ip = getClientIp(req);
 
diff --git a/packages/smart-signer/components/auth/process.tsx b/packages/smart-signer/components/auth/process.tsx
index 68a0f991c951f2695e93b1bad168c772cbf2d0e9..9b194bcdfe6b2d863e7bfe668622285fc24efd40 100644
--- a/packages/smart-signer/components/auth/process.tsx
+++ b/packages/smart-signer/components/auth/process.tsx
@@ -11,6 +11,7 @@ import { LoginFormSchema as SignInFormSchema } from '../signin-form';
 import { getOperationForLogin } from '@smart-signer/lib/login-operation';
 import { getChain } from '@transaction/lib/chain';
 import { IOnlineTransaction, operation } from '@hiveio/wax';
+import { csrfHeaderName } from '@smart-signer/lib/csrf-protection';
 
 import { getLogger } from '@hive/ui/lib/logging';
 const logger = getLogger('app');
@@ -89,7 +90,10 @@ export const useProcessAuth = (authenticateOnBackend: boolean, strict: boolean)
 
       await fetch('/api/auth/log_account', {
         method: 'POST',
-        headers: { 'Content-Type': 'application/json' },
+        headers: {
+          'Content-Type': 'application/json',
+          [csrfHeaderName]: '1'
+        },
         body: JSON.stringify({
           type: 'login',
           username,
diff --git a/packages/smart-signer/lib/auth/use-logout.ts b/packages/smart-signer/lib/auth/use-logout.ts
index c15fd280b31810685d9edabf552268b722f17ecb..abaef0f30278d392328bbc25a711f7eb2992630d 100644
--- a/packages/smart-signer/lib/auth/use-logout.ts
+++ b/packages/smart-signer/lib/auth/use-logout.ts
@@ -3,6 +3,7 @@ import { toast } from '@ui/components/hooks/use-toast';
 import { getSigner } from '@smart-signer/lib/signer/get-signer';
 import { useUser } from '@smart-signer/lib/auth/use-user';
 import { useSigner } from '@smart-signer/lib/use-signer';
+import { csrfHeaderName } from '@smart-signer/lib/csrf-protection';
 import { getLogger } from '@hive/ui/lib/logging';
 import { useRouter } from 'next/navigation';
 
@@ -24,7 +25,10 @@ export function useLogout(redirect?: string) {
         try {
           await fetch('/api/auth/log_account', {
             method: 'POST',
-            headers: { 'Content-Type': 'application/json' },
+            headers: {
+              'Content-Type': 'application/json',
+              [csrfHeaderName]: '1'
+            },
             body: JSON.stringify({
               type: 'logout'
               // username and loginType will be read from the existing cookie