diff --git a/CHANGELOG b/CHANGELOG
index 1ca460c..4be0081 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -17,6 +17,7 @@ Revision history for Lufi
 	- Add a test suite
 	- MySQL support
 	- Display max size on upload page
+	- Add CSRF token challenge on login
 
 0.02.2 2017-09-18
 	- Fix cron tasks bug
diff --git a/lib/Lufi/Controller/Auth.pm b/lib/Lufi/Controller/Auth.pm
index 77401c9..c7bddd1 100644
--- a/lib/Lufi/Controller/Auth.pm
+++ b/lib/Lufi/Controller/Auth.pm
@@ -18,11 +18,16 @@ sub login {
     my $login = $c->param('login');
     my $pwd   = $c->param('password');
 
-    if($c->authenticate($login, $pwd)) {
-        $c->redirect_to('index');
-    } else {
-        $c->stash(msg => $c->l('Please, check your credentials or your right to access this service: unable to authenticate.'));
+    if ($c->validation->csrf_protect->has_error('csrf_token')) {
+        $c->stash(msg => $c->l('Bad CSRF token.'));
         $c->render(template => 'login');
+    } else {
+        if($c->authenticate($login, $pwd)) {
+            $c->redirect_to('index');
+        } else {
+            $c->stash(msg => $c->l('Please, check your credentials or your right to access this service: unable to authenticate.'));
+            $c->render(template => 'login');
+        }
     }
 }
 
diff --git a/t/test.t b/t/test.t
index 1f10eb5..10a5cc1 100644
--- a/t/test.t
+++ b/t/test.t
@@ -202,7 +202,15 @@ sub test_login {
       ->status_is(200)
       ->content_like(qr@Signin@);
 
-    $t->post_ok('/login' => form => { login => $login, password => $pass })
+    my $token = '';
+
+    $t->post_ok('/login' => form => { login => $login, password => $pass, csrf_token => $token })
+      ->status_is(200)
+      ->content_like(qr@Bad CSRF token\.@);
+
+    $token = $t->ua->get('/login')->res->dom->find('input[name="csrf_token"]')->first->attr('value');
+
+    $t->post_ok('/login' => form => { login => $login, password => $pass, csrf_token => $token })
       ->status_is(302)
       ->header_is(Location => '/');
 
diff --git a/themes/default/templates/login.html.ep b/themes/default/templates/login.html.ep
index 189a8dc..ef55234 100644
--- a/themes/default/templates/login.html.ep
+++ b/themes/default/templates/login.html.ep
@@ -21,6 +21,7 @@
             <label for="password"><%= l('Password') %></label>
         </div>
     </div>
+    %= csrf_field
     <div class="col s8 m8 offset-s2 offset-m2">
         <button class="btn waves-effect waves-light" type="submit" name="action">
             <%= l('Signin') %>