diff --git a/include/class.csrf.php b/include/class.csrf.php
index bf281499c12d7d2cbe6fd59558261b8d516abbf8..d55dcea0c716cd21db5fe46c17bed3d9cfdb6719 100644
--- a/include/class.csrf.php
+++ b/include/class.csrf.php
@@ -40,6 +40,10 @@ function csrf_get_token($length=32) {
 }
 
 function csrf_ensure_cookie() {
+    global $csrf_unprotected;
+    if ($csrf_unprotected)
+        return true;
+
     $token = csrf_get_token();
     if (isset($_POST['__CSRFToken__'])) {
         if ($token == $_POST['__CSRFToken__'])
@@ -52,6 +56,11 @@ function csrf_ensure_cookie() {
     Http::response(400, 'CSRF Token Required');
 }
 
+function csrf_unprotect() {
+    global $csrf_unprotected;
+    $csrf_unprotected = true;
+}
+
 # Many thanks to https://docs.djangoproject.com/en/dev/ref/contrib/csrf/
 function csrf_enable_ajax() { ?>
 <script type="text/javascript">
diff --git a/include/staff/login.tpl.php b/include/staff/login.tpl.php
index 4f2364e1ae9fa21a0e79135ae5580fcaffdbcb63..2d8a41f650601c2ec8396ecb89a8ea5ac90a4790 100644
--- a/include/staff/login.tpl.php
+++ b/include/staff/login.tpl.php
@@ -15,6 +15,7 @@
     <h1 id="logo"><a href="index.php">osTicket Staff Control Panel</a></h1>
     <h3><?php echo Format::htmlchars($msg); ?></h3>
     <form action="login.php" method="post">
+        <?php csrf_token(); ?>
         <input type="hidden" name="d"o value="scplogin">
         <fieldset>
             <input type="text" name="username" id="name" value="" placeholder="username" autocorrect="off" autocapitalize="off">
diff --git a/scp/emailtest.php b/scp/emailtest.php
index 9f9b2decb0a3b5e4cde81b3b4ca1ce4ec853a0f5..0ca1d7308cc8c62f0f9852a57f45d4e8802e805a 100644
--- a/scp/emailtest.php
+++ b/scp/emailtest.php
@@ -15,6 +15,7 @@
 **********************************************************************/
 require('admin.inc.php');
 include_once(INCLUDE_DIR.'class.email.php');
+include_once(INCLUDE_DIR.'class.csrf.php');
 $info=array();
 $info['subj']='osTicket test email';
 
@@ -47,6 +48,7 @@ $nav->setTabActive('emails');
 require(STAFFINC_DIR.'header.inc.php');
 ?>
 <form action="emailtest.php" method="post" id="emailtest">
+ <?php csrf_token(); ?>
  <input type="hidden" name="do" value="<?php echo $action; ?>">
  <h2>Test Outgoing Email</h2>
  <table class="form_table" width="940" border="0" cellspacing="0" cellpadding="2">
diff --git a/scp/login.php b/scp/login.php
index 2af73c318b45ddb15438d3ab8966ea76d11c6576..b8deacfd13313f4d042e2deb7b26488a38c1e8cc 100644
--- a/scp/login.php
+++ b/scp/login.php
@@ -17,6 +17,7 @@ require_once('../main.inc.php');
 if(!defined('INCLUDE_DIR')) die('Fatal Error. Kwaheri!');
 
 require_once(INCLUDE_DIR.'class.staff.php');
+require_once(INCLUDE_DIR.'class.csrf.php');
 
 $msg=$_SESSION['_staff']['auth']['msg'];
 $msg=$msg?$msg:'Authentication Required';