diff --git a/store/app.py b/store/app.py
index d54bea73..dd99296b 100644
--- a/store/app.py
+++ b/store/app.py
@@ -5,6 +5,7 @@ import base64
 import hashlib
 import hmac
 import os
+import string
 import random
 import urllib
 import json
@@ -186,6 +187,22 @@ def add_to_wishlist():
                 "wishlist_add.html",
                 locale=get_locale(),
                 user=session.get("user", {}),
+                csrf_token=None,
+                successmsg=None,
+                errormsg=errormsg,
+            )
+
+        csrf_token = request.form["csrf_token"]
+        print(csrf_token)
+        print(session.get("csrf_token"))
+
+        if csrf_token != session.get("csrf_token"):
+            errormsg = _("Invalid CSRF token, please refresh the form and try again")
+            return render_template(
+                "wishlist_add.html",
+                locale=get_locale(),
+                user=session.get("user", {}),
+                csrf_token=csrf_token,
                 successmsg=None,
                 errormsg=errormsg,
             )
@@ -227,6 +244,7 @@ def add_to_wishlist():
                     "wishlist_add.html",
                     locale=get_locale(),
                     user=session.get("user", {}),
+                    csrf_token=csrf_token,
                     successmsg=None,
                     errormsg=errormsg,
                 )
@@ -247,6 +265,7 @@ def add_to_wishlist():
                 "wishlist_add.html",
                 locale=get_locale(),
                 user=session.get("user", {}),
+                csrf_token=csrf_token,
                 successmsg=None,
                 errormsg=_(
                     "An entry with the name %(slug) already exists in the wishlist",
@@ -280,6 +299,7 @@ def add_to_wishlist():
                 "wishlist_add.html",
                 locale=get_locale(),
                 user=session.get("user", {}),
+                csrf_token=csrf_token,
                 successmsg=None,
                 errormsg=errormsg,
             )
@@ -328,10 +348,14 @@ Proposed by **{session['user']['username']}**
             successmsg=successmsg,
         )
     else:
+        letters = string.ascii_lowercase + string.digits
+        csrf_token = ''.join(random.choice(letters) for i in range(16))
+        session["csrf_token"] = csrf_token
         return render_template(
             "wishlist_add.html",
             locale=get_locale(),
             user=session.get("user", {}),
+            csrf_token=csrf_token,
             successmsg=None,
             errormsg=None,
         )
diff --git a/store/templates/wishlist_add.html b/store/templates/wishlist_add.html
index e91f1746..5c66e9cc 100644
--- a/store/templates/wishlist_add.html
+++ b/store/templates/wishlist_add.html
@@ -5,7 +5,7 @@
 {% block main %}
 <div class="mt-5 text-center px-3 sm:px-0">
     <h1 class="text-2xl font-bold text-gray-900">
-        {{ _("Suggest an application to be added to YunoHost's catalog") }} 
+        {{ _("Suggest an application to be added to YunoHost's catalog") }}
     </h1>
 </div>
 
@@ -26,7 +26,7 @@
     <div role="alert" class="rounded-md border-s-4 border-orange-500 bg-orange-50 p-4 mb-5">
       <p class="mt-2 text-sm text-orange-700 font-bold">
         <i class="fa fa-exclamation-triangle fa-fw" aria-hidden="true"></i>
-          {{ _("You must first login to be allowed to submit an app to the wishlist") }} 
+          {{ _("You must first login to be allowed to submit an app to the wishlist") }}
       </p>
     </div>
     {% endif %}
@@ -34,10 +34,10 @@
     <div role="alert" class="rounded-md border-s-4 border-sky-500 bg-sky-50 p-4">
       <p class="mt-2 text-sm text-sky-700 font-bold">
         <i class="fa fa-info-circle fa-fw" aria-hidden="true"></i>
-          {{ _("Please check the license of the app your are proposing") }} 
+          {{ _("Please check the license of the app your are proposing") }}
       </p>
       <p class="mt-2 text-sm text-sky-700">
-          {{ _("The YunoHost project will only package free/open-source software (with possible case-by-case exceptions for apps which are not-totally-free)") }} 
+          {{ _("The YunoHost project will only package free/open-source software (with possible case-by-case exceptions for apps which are not-totally-free)") }}
       </p>
     </div>
 
@@ -50,28 +50,30 @@
     </div>
     {% endif %}
 
-    <form method="POST" action="{{ url_for('add_to_wishlist') }}" class="mt-8 mb-8" >
-      
+    <form method="POST" action="{{ url_for('add_to_wishlist') }}" class="my-8" >
+
+      <input name="csrf_token" type="text" class="hidden" value="{{ csrf_token }}" >
+
       <label for="name" class="mt-5 block font-bold text-gray-700">{{ _("Name") }}</label>
       <input name="name" type="text" class="w-full mt-1 rounded-md border-gray-200 text-gray-700 shadow-sm" maxlength="30" required onkeyup="this.value = this.value.replace(/[^a-zA-Z0-9.-\\(\\)\\ ]/, '')" >
-      
+
       <label for="description" class="mt-5 block font-bold text-gray-700">{{ _("App's description") }}</label>
       <textarea name="description" type="text" class="w-full mt-1 rounded-md border-gray-200 text-gray-700 shadow-sm" required rows='3' maxlength='100'></textarea>
       <span class="text-xs text-gray-600"><span class="font-bold">{{ _("Please be concise and focus on what the app does.") }}</span> {{ _("No need to repeat '[App] is ...'. No need to state that it is free/open-source or self-hosted (otherwise it wouldn't be packaged for YunoHost). Avoid marketing stuff like 'the most', or vague properties like 'easy', 'simple', 'lightweight'.") }}</span>
 
       <label for="upstream" class="mt-5 block font-bold text-gray-700">{{ _("Project code repository") }}</label>
       <input name="upstream" type="url" class="w-full mt-1 rounded-md border-gray-200 text-gray-700 shadow-sm"  maxlength="150" required >
-      
+
       <label for="website" class="mt-5 block font-bold text-gray-700">{{ _("Project website") }}</label>
       <input name="website" type="url" class="w-full mt-1 rounded-md border-gray-200 text-gray-700 shadow-sm"  maxlength="150" >
       <span class="text-xs text-gray-600">{{ _("Please *do not* just copy-paste the code repository URL. If the project has no proper website, then leave the field empty.") }}</span>
-    
+
       <button
         type="submit"
         class="block mx-auto btn btn-primary mt-5 {% if user %}hover:bg-blue-700{% endif %}"
         {% if not user %}disabled{% endif %}
       >
-          {{ _("Submit") }} 
+          {{ _("Submit") }}
       </button>
 
     </form>