diff --git a/structurizr-onpremises/src/main/java/com/structurizr/onpremises/web/security/CsrfSecurityRequestMatcher.java b/structurizr-onpremises/src/main/java/com/structurizr/onpremises/web/security/CsrfSecurityRequestMatcher.java
index f4b157e..0d519ac 100644
--- a/structurizr-onpremises/src/main/java/com/structurizr/onpremises/web/security/CsrfSecurityRequestMatcher.java
+++ b/structurizr-onpremises/src/main/java/com/structurizr/onpremises/web/security/CsrfSecurityRequestMatcher.java
@@ -13,9 +13,18 @@ public boolean matches(HttpServletRequest request) {
         if ("POST".equals(method)) {
             String uri = request.getRequestURI();
 
-            if (
-                    uri.startsWith("/login")
-            ) {
+            /*
+             * Matches URIs like:
+             * /login*
+             * /workspace/123/images/delete
+             * /workspace/123/private
+             * /workspace/123/public
+             * /workspace/123/unshare
+             * /workspace/123/share
+             * /workspace/123/delete
+             */
+            if (uri.startsWith("/login")
+                    || uri.matches("/workspace/\\d+/(images/delete|private|public|unshare|share|delete)")) {
                 return true;
             }
         }
diff --git a/structurizr-onpremises/src/main/webapp/WEB-INF/views/images.jsp b/structurizr-onpremises/src/main/webapp/WEB-INF/views/images.jsp
index f125cb2..1fed0a1 100644
--- a/structurizr-onpremises/src/main/webapp/WEB-INF/views/images.jsp
+++ b/structurizr-onpremises/src/main/webapp/WEB-INF/views/images.jsp
@@ -32,6 +32,7 @@
         <c:if test="${workspace.editable}">
         <div class="centered">
             <form id="deleteImagesForm" class="form-inline small centered" style="display: inline-block; margin-bottom: 5px" action="/workspace/${workspace.id}/images/delete" method="post">
+                <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
                 <button class="btn btn-default" type="submit" name="action" value="delete" title="Delete published images"><img src="${structurizrConfiguration.cdnUrl}/bootstrap-icons/trash3.svg" class="icon-btn" /> Delete published images</button>
             </form>
         </div>
diff --git a/structurizr-onpremises/src/main/webapp/WEB-INF/views/users.jsp b/structurizr-onpremises/src/main/webapp/WEB-INF/views/users.jsp
index 3dced47..f805834 100644
--- a/structurizr-onpremises/src/main/webapp/WEB-INF/views/users.jsp
+++ b/structurizr-onpremises/src/main/webapp/WEB-INF/views/users.jsp
@@ -47,6 +47,7 @@
         <c:choose>
             <c:when test="${workspace.editable}">
             <form action="/workspace/${workspace.id}/users" method="post">
+                <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
 
                 <div class="row">
                     <div class="col-sm-6">
diff --git a/structurizr-onpremises/src/main/webapp/WEB-INF/views/workspace-settings.jsp b/structurizr-onpremises/src/main/webapp/WEB-INF/views/workspace-settings.jsp
index 04114bf..fde93a5 100644
--- a/structurizr-onpremises/src/main/webapp/WEB-INF/views/workspace-settings.jsp
+++ b/structurizr-onpremises/src/main/webapp/WEB-INF/views/workspace-settings.jsp
@@ -82,12 +82,14 @@
                                 <c:when test="${workspace.publicWorkspace}">
                                     <form id="privateWorkspaceForm" class="form-inline small centered" style="display: inline-block; margin-bottom: 5px" action="/workspace/${workspace.id}/private" method="post">
                                         <input type="hidden" name="workspaceId" value="${workspace.id}" />
+                                        <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
                                         <button class="btn btn-default small" type="submit" name="action" value="private" title="Make workspace private"><img src="/static/bootstrap-icons/lock.svg" class="icon-btn" /> Make private</button>
                                     </form>
                                 </c:when>
                                 <c:otherwise>
                                     <form id="publicWorkspaceForm" class="form-inline small centered" style="display: inline-block; margin-bottom: 5px" action="/workspace/${workspace.id}/public" method="post">
                                         <input type="hidden" name="workspaceId" value="${workspace.id}" />
+                                        <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
                                         <button class="btn btn-default small" type="submit" name="action" value="public" title="Make workspace public"><img src="/static/bootstrap-icons/unlock.svg" class="icon-btn" /> Make public</button>
                                     </form>
                                 </c:otherwise>
@@ -110,12 +112,14 @@
                                 <c:when test="${not empty workspace.sharingToken}">
                                     <form id="unshareWorkspaceForm" class="form-inline small centered" style="display: inline-block; margin-bottom: 5px" action="/workspace/${workspace.id}/unshare" method="post">
                                         <input type="hidden" name="workspaceId" value="${workspace.id}" />
+                                        <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
                                         <button class="btn btn-default small" type="submit" name="action" value="unshare" title="Disable sharing link"><img src="/static/bootstrap-icons/link.svg" class="icon-btn" /> Disable sharing link</button>
                                     </form>
                                 </c:when>
                                 <c:otherwise>
                                     <form id="shareWorkspaceForm" class="form-inline small centered" style="display: inline-block; margin-bottom: 5px" action="/workspace/${workspace.id}/share" method="post">
                                         <input type="hidden" name="workspaceId" value="${workspace.id}" />
+                                        <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
                                         <button class="btn btn-default small" type="submit" name="action" value="share" title="Enable sharing link"><img src="/static/bootstrap-icons/link.svg" class="icon-btn" /> Enable sharing link</button>
                                     </form>
                                 </c:otherwise>
@@ -135,6 +139,7 @@
                         <button id="exportWorkspaceButton" class="btn btn-default small" title="Export workspace as JSON"><img src="${structurizrConfiguration.cdnUrl}/bootstrap-icons/filetype-json.svg" class="icon-btn" /> Export workspace</button>
                         <form id="deleteWorkspaceForm" class="form-inline small centered" style="display: inline-block; margin-bottom: 5px" action="/workspace/${workspace.id}/delete" method="post">
                             <input type="hidden" name="workspaceId" value="${workspace.id}" />
+                            <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
                             <button class="btn btn-danger small" type="submit" name="action" value="remove" title="Delete workspace"><img src="/static/bootstrap-icons/folder-x.svg" class="icon-white icon-btn" /> Delete workspace</button>
                         </form>
                     </c:if>