diff --git a/tailbone/templates/master/index.mako b/tailbone/templates/master/index.mako
index 5bb155bf..a5ca6665 100644
--- a/tailbone/templates/master/index.mako
+++ b/tailbone/templates/master/index.mako
@@ -55,10 +55,11 @@
<%def name="grid_tools()">
% if master.mergeable and request.has_perm('{}.merge'.format(permission_prefix)):
- ${h.form(url('{}.merge'.format(route_prefix)), name='merge-things')}
+ ${h.form(url('{}.merge'.format(route_prefix)), name='merge-things')}
+ ${h.csrf_token(request)}
${h.hidden('uuids')}
- ${h.end_form()}
+ ${h.end_form()}
% endif
diff --git a/tailbone/templates/master/merge.mako b/tailbone/templates/master/merge.mako
index 8d3f11ff..d56416d7 100644
--- a/tailbone/templates/master/merge.mako
+++ b/tailbone/templates/master/merge.mako
@@ -132,6 +132,7 @@
${h.form(request.current_route_url(), class_='merge')}
+${h.csrf_token(request)}