diff --git a/Gemfile b/Gemfile
index 189f7475dcd..96a16ef0848 100644
--- a/Gemfile
+++ b/Gemfile
@@ -72,6 +72,8 @@ gem 'oj'
 # will need to be removed once we are on rails4 as it will be part of the rails4 core
 gem 'strong_parameters'
 
+gem 'rack-protection'
+
 group :production do
   # we use dalli as standard memcache client remove this if you don't
   # requires memcached 1.4+
diff --git a/config.ru b/config.ru
index 16f13fbd589..ca101965561 100644
--- a/config.ru
+++ b/config.ru
@@ -29,4 +29,5 @@
 # This file is used by Rack-based servers to start the application.
 
 require ::File.expand_path('../config/environment',  __FILE__)
+use Rack::Protection::JsonCsrf
 run OpenProject::Application