diff --git a/classes/controller.php b/classes/controller.php
index a11a1d02..83fe491c 100644
--- a/classes/controller.php
+++ b/classes/controller.php
@@ -86,6 +86,11 @@ class AdminController
      */
     public function execute()
     {
+        if (!Utils::verifyNonce($this->post['admin-nonce'], 'admin-post-blueprints')) {
+            $this->admin->setMessage('Unauthorized', 'error');
+            return false;
+        }
+
         $success = false;
         $method = 'task' . ucfirst($this->task);
         if (method_exists($this, $method)) {
diff --git a/themes/grav/templates/partials/blueprints-new.html.twig b/themes/grav/templates/partials/blueprints-new.html.twig
index 37e26611..c8ad9d71 100644
--- a/themes/grav/templates/partials/blueprints-new.html.twig
+++ b/themes/grav/templates/partials/blueprints-new.html.twig
@@ -14,4 +14,7 @@
     <div class="button-bar">
         <button class="button primary">{{ "PLUGIN_ADMIN.CONTINUE"|tu }}</button>
     </div>
+
+    {{ nonce_field('admin-post-blueprints', 'admin-nonce') }}
+
 </form>
diff --git a/themes/grav/templates/partials/blueprints-raw.html.twig b/themes/grav/templates/partials/blueprints-raw.html.twig
index 88892915..91fe6a39 100644
--- a/themes/grav/templates/partials/blueprints-raw.html.twig
+++ b/themes/grav/templates/partials/blueprints-raw.html.twig
@@ -10,4 +10,7 @@
             </div>
         {% endif %}
     {% endfor %}
+
+    {{ nonce_field('admin-post-blueprints', 'admin-nonce') }}
+
 </form>
diff --git a/themes/grav/templates/partials/blueprints.html.twig b/themes/grav/templates/partials/blueprints.html.twig
index 0c96fa53..deb0066b 100644
--- a/themes/grav/templates/partials/blueprints.html.twig
+++ b/themes/grav/templates/partials/blueprints.html.twig
@@ -18,4 +18,6 @@
         {% include 'forms/fields/hidden/hidden.html.twig' %}
     {% endfor %}
     {% endif %}
+
+    {{ nonce_field('admin-post-blueprints', 'admin-nonce') }}
 </form>