diff --git a/web/add/cron/autoupdate/index.php b/web/add/cron/autoupdate/index.php
index 53d50c059..90854d9bd 100644
--- a/web/add/cron/autoupdate/index.php
+++ b/web/add/cron/autoupdate/index.php
@@ -5,6 +5,12 @@ ob_start();
 session_start();
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+// Check token
+if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
+    header('location: /login/');
+    exit();
+}
+
 if ($_SESSION['user'] == 'admin') {
     exec (VESTA_CMD."v-add-cron-vesta-autoupdate", $output, $return_var);
     $_SESSION['error_msg'] = __('Autoupdate has been successfully enabled');
diff --git a/web/add/cron/reports/index.php b/web/add/cron/reports/index.php
index 4b0424e32..197c57604 100644
--- a/web/add/cron/reports/index.php
+++ b/web/add/cron/reports/index.php
@@ -5,6 +5,12 @@ ob_start();
 session_start();
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+// Check token
+if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
+    header('location: /login/');
+    exit();
+}
+
 exec (VESTA_CMD."v-add-cron-reports ".$user, $output, $return_var);
 $_SESSION['error_msg'] = __('Cronjob email reporting has been successfully enabled');
 unset($output);
diff --git a/web/add/firewall/banlist/index.php b/web/add/firewall/banlist/index.php
index 774421e64..a9f616a2e 100644
--- a/web/add/firewall/banlist/index.php
+++ b/web/add/firewall/banlist/index.php
@@ -15,6 +15,12 @@ if ($_SESSION['user'] != 'admin') {
 // Check POST request
 if (!empty($_POST['ok'])) {
 
+    // Check token
+    if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
+        header('location: /login/');
+        exit();
+    }
+
     // Check empty fields
     if (empty($_POST['v_chain'])) $errors[] = __('banlist');
     if (empty($_POST['v_ip'])) $errors[] = __('ip address');
diff --git a/web/delete/cron/autoupdate/index.php b/web/delete/cron/autoupdate/index.php
index ad670ef03..a58064c07 100644
--- a/web/delete/cron/autoupdate/index.php
+++ b/web/delete/cron/autoupdate/index.php
@@ -5,6 +5,12 @@ ob_start();
 session_start();
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+// Check token
+if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
+    header('location: /login/');
+    exit();
+}
+
 if ($_SESSION['user'] == 'admin') {
     exec (VESTA_CMD."v-delete-cron-vesta-autoupdate", $output, $return_var);
     $_SESSION['error_msg'] = __('Autoupdate has been successfully disabled');
diff --git a/web/delete/cron/reports/index.php b/web/delete/cron/reports/index.php
index af7df20f2..10d422a8d 100644
--- a/web/delete/cron/reports/index.php
+++ b/web/delete/cron/reports/index.php
@@ -5,6 +5,12 @@ ob_start();
 session_start();
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+// Check token
+if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
+    header('location: /login/');
+    exit();
+}
+
 exec (VESTA_CMD."v-delete-cron-reports ".$user, $output, $return_var);
 $_SESSION['error_msg'] = __('Cronjob email reporting has been successfully disabled');
 unset($output);
diff --git a/web/restart/service/index.php b/web/restart/service/index.php
index 5f42e5e5d..eb07e8569 100644
--- a/web/restart/service/index.php
+++ b/web/restart/service/index.php
@@ -5,6 +5,12 @@ ob_start();
 session_start();
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+// Check token
+if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
+    header('location: /login/');
+    exit();
+}
+
 if ($_SESSION['user'] == 'admin') {
     if (!empty($_GET['srv'])) {
         if ($_GET['srv'] == 'iptables') {
diff --git a/web/restart/system/index.php b/web/restart/system/index.php
index 4facc5a5a..4e09745ed 100644
--- a/web/restart/system/index.php
+++ b/web/restart/system/index.php
@@ -5,6 +5,12 @@ ob_start();
 session_start();
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+// Check token
+if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
+    header('location: /login/');
+    exit();
+}
+
 if ($_SESSION['user'] == 'admin') {
     if (!empty($_GET['hostname'])) {
         exec (VESTA_CMD."v-restart-system yes", $output, $return_var);
diff --git a/web/templates/admin/list_services.html b/web/templates/admin/list_services.html
index 346370e66..6012d2a38 100644
--- a/web/templates/admin/list_services.html
+++ b/web/templates/admin/list_services.html
@@ -54,7 +54,7 @@
           <div class="l-unit-toolbar__col l-unit-toolbar__col--right noselect">
             <div class="actions-panel clearfix">
               <div class="actions-panel__col actions-panel__configure shortcut-enter" key-action="href"><a href="/edit/server/"><?=__('configure')?> <i></i></a><span class="shortcut enter">&nbsp;&#8629;</span></div>
-              <div class="actions-panel__col actions-panel__restart shortcut-r" key-action="href"><a href="/restart/system/?hostname=<?php echo $sys['sysinfo']['HOSTNAME'] ?>"><?=__('restart')?> <i></i></a><span class="shortcut">&nbsp;R</span></div>
+              <div class="actions-panel__col actions-panel__restart shortcut-r" key-action="href"><a href="/restart/system/?hostname=<?php echo $sys['sysinfo']['HOSTNAME'] ?>&token=<?=$_SESSION['token']?>"><?=__('restart')?> <i></i></a><span class="shortcut">&nbsp;R</span></div>
             </div>
             <!-- /.actions-panel -->
           </div>
diff --git a/web/update/vesta/index.php b/web/update/vesta/index.php
index a025c7bf0..fa7ca2c4e 100644
--- a/web/update/vesta/index.php
+++ b/web/update/vesta/index.php
@@ -5,6 +5,12 @@ ob_start();
 session_start();
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+// Check token
+if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
+    header('location: /login/');
+    exit();
+}
+
 if ($_SESSION['user'] == 'admin') {
     if (!empty($_GET['pkg'])) {
         $v_pkg = escapeshellarg($_GET['pkg']);