diff --git a/includes/specials/SpecialDeleteCargoTable.php b/includes/specials/SpecialDeleteCargoTable.php
index b662195c..8528c60f 100644
--- a/includes/specials/SpecialDeleteCargoTable.php
+++ b/includes/specials/SpecialDeleteCargoTable.php
@@ -55,6 +55,7 @@ public function execute( $subpage = false ) {
 
 		$out = $this->getOutput();
 		$req = $this->getRequest();
+		$csrfTokenSet = $this->getContext()->getCsrfTokenSet();
 
 		$out->enableOOUI();
 
@@ -87,7 +88,7 @@ public function execute( $subpage = false ) {
 		$fieldTables = unserialize( $row['field_tables'] );
 		$fieldHelperTables = unserialize( $row['field_helper_tables'] );
 
-		if ( $this->getRequest()->getCheck( 'delete' ) ) {
+		if ( $req->wasPosted() && $req->getCheck( 'delete' ) && $csrfTokenSet->matchToken( $req->getText( 'wpEditToken' ) ) ) {
 			self::deleteTable( $tableName, $fieldTables, $fieldHelperTables );
 			$text = Html::rawElement( 'p', null, $this->msg( 'cargo-deletetable-success', $tableName )->escaped() ) . "\n";
 			$tablesLink = CargoUtils::makeLink( $this->getLinkRenderer(),
diff --git a/includes/specials/SpecialSwitchCargoTable.php b/includes/specials/SpecialSwitchCargoTable.php
index c7b56e84..daf950bb 100644
--- a/includes/specials/SpecialSwitchCargoTable.php
+++ b/includes/specials/SpecialSwitchCargoTable.php
@@ -86,6 +86,9 @@ public function execute( $subpage = false ) {
 		$this->checkPermissions();
 
 		$out = $this->getOutput();
+		$req = $this->getRequest();
+		$csrfTokenSet = $this->getContext()->getCsrfTokenSet();
+
 		$tableName = $subpage;
 		$out->enableOOUI();
 
@@ -116,7 +119,7 @@ public function execute( $subpage = false ) {
 		$fieldTables = unserialize( $row['field_tables'] );
 		$fieldHelperTables = unserialize( $row['field_helper_tables'] );
 
-		if ( $this->getRequest()->getCheck( 'switch' ) ) {
+		if ( $req->wasPosted() && $req->getCheck( 'switch' ) && $csrfTokenSet->matchToken( $req->getText( 'wpEditToken' ) ) ) {
 			self::switchInTableReplacement( $tableName, $fieldTables, $fieldHelperTables, $this->getUser() );
 			$text = Html::element( 'p', null, $this->msg( 'cargo-switchtables-success', $tableName )->parse() ) . "\n";
 			$tablesLink = CargoUtils::makeLink( $this->getLinkRenderer(),