diff --git a/assets/views/account/password.html b/assets/views/account/password.html
index 784df64..38a8aa5 100644
--- a/assets/views/account/password.html
+++ b/assets/views/account/password.html
@@ -22,6 +22,7 @@
 
   <form method="post" action="/account/password" hx-boost="false" class="mt-6 flex flex-col gap-4"
     x-data="{ password: '', confirm: '' }">
+  {{ ui::csrf_field() }}
     <div class="flex flex-col gap-1">
       <label for="current_password" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="password-current", lang=lang | default(value='sk')) }}</label>
       {{ ui::input(name="current_password", id="current_password", type="password", required=true, autocomplete="current-password") }}
diff --git a/assets/views/account/profile.html b/assets/views/account/profile.html
index 61c58fd..244fcc9 100644
--- a/assets/views/account/profile.html
+++ b/assets/views/account/profile.html
@@ -82,6 +82,7 @@
 
   <!-- edit form -->
   <form x-show="editing" x-cloak method="post" action="/account/profile" hx-boost="false" class="mt-6 space-y-6">
+  {{ ui::csrf_field() }}
     <!-- account type is fixed at registration and shown read-only -->
     <fieldset class="space-y-2 rounded-radius border border-outline bg-surface p-6 dark:border-outline-dark dark:bg-surface-dark-alt">
       <legend class="px-1 text-sm font-semibold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="account-type", lang=lang | default(value='sk')) }}</legend>
diff --git a/assets/views/account/security.html b/assets/views/account/security.html
index f9bf027..8094117 100644
--- a/assets/views/account/security.html
+++ b/assets/views/account/security.html
@@ -39,6 +39,7 @@
       <code class="mt-1 inline-block break-all font-mono text-sm text-on-surface-strong dark:text-on-surface-dark-strong">{{ secret }}</code>
     </div>
     <form method="post" action="/account/security/confirm" hx-boost="false" class="flex flex-col gap-3">
+  {{ ui::csrf_field() }}
       <label for="code" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="security-2fa-enter-code", lang=lang | default(value='sk')) }}</label>
       {{ ui::input(name="code", id="code", type="text", required=true, autocomplete="one-time-code", attrs='inputmode="numeric" pattern="[0-9]*" maxlength="6" autofocus') }}
       {{ ui::button(label=t(key="security-2fa-confirm", lang=lang | default(value='sk')), type="submit", extra="w-full") }}
@@ -53,6 +54,7 @@
   </div>
 
   <form method="post" action="/account/security/backup-codes" hx-boost="false" class="mt-6 flex flex-col gap-3 rounded-radius border border-outline bg-surface-alt p-5 dark:border-outline-dark dark:bg-surface-dark-alt">
+  {{ ui::csrf_field() }}
     <p class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="security-2fa-regenerate", lang=lang | default(value='sk')) }}</p>
     <label for="regen_pw" class="text-sm text-on-surface dark:text-on-surface-dark">{{ t(key="password-current", lang=lang | default(value='sk')) }}</label>
     {{ ui::input(name="current_password", id="regen_pw", type="password", required=true, autocomplete="current-password") }}
@@ -60,6 +62,7 @@
   </form>
 
   <form method="post" action="/account/security/disable" hx-boost="false" class="mt-4 flex flex-col gap-3 rounded-radius border border-danger/40 bg-danger/5 p-5">
+  {{ ui::csrf_field() }}
     <p class="text-sm font-medium text-danger">{{ t(key="security-2fa-disable", lang=lang | default(value='sk')) }}</p>
     <p class="text-xs text-on-surface dark:text-on-surface-dark">{{ t(key="security-2fa-disable-hint", lang=lang | default(value='sk')) }}</p>
     <label for="disable_pw" class="text-sm text-on-surface dark:text-on-surface-dark">{{ t(key="password-current", lang=lang | default(value='sk')) }}</label>
@@ -70,6 +73,7 @@
   {% else %}
   {# --- Disabled: offer to enable --- #}
   <form method="post" action="/account/security/enable" hx-boost="false" class="mt-6">
+  {{ ui::csrf_field() }}
     <div class="flex items-center gap-2">
       {{ ui::badge(label=t(key="security-2fa-off", lang=lang | default(value='sk')), variant="neutral") }}
     </div>
diff --git a/assets/views/admin/base.html b/assets/views/admin/base.html
index 53f85a0..b6fdf97 100644
--- a/assets/views/admin/base.html
+++ b/assets/views/admin/base.html
@@ -43,38 +43,9 @@
     {% block head %}{% endblock head %}
     <script src="/static/vendor/htmx/htmx-1.9.12.min.js"></script>
     <script defer src="/static/vendor/alpine/alpinejs-3.14.9.min.js"></script>
-    <!-- CSRF: echo the signed `csrf_token` cookie back on every unsafe request.
-         htmx requests get it as an X-CSRF-Token header; native <form> submits
-         can't set a header, so a hidden _csrf field is injected instead.
-         Server side: shared::csrf::protect. -->
-    <script>
-      (function () {
-        function csrfToken() {
-          var m = document.cookie.split('; ').find(function (c) { return c.indexOf('csrf_token=') === 0; });
-          return m ? decodeURIComponent(m.split('=').slice(1).join('=')) : '';
-        }
-        document.addEventListener('htmx:configRequest', function (e) {
-          var t = csrfToken();
-          if (t) e.detail.headers['X-CSRF-Token'] = t;
-        });
-        document.addEventListener('submit', function (e) {
-          var form = e.target;
-          if (!form || (form.method || '').toLowerCase() !== 'post') return;
-          var t = csrfToken();
-          if (!t) return;
-          var input = form.querySelector('input[name="_csrf"]');
-          if (!input) {
-            input = document.createElement('input');
-            input.type = 'hidden';
-            input.name = '_csrf';
-            form.appendChild(input);
-          }
-          input.value = t;
-        }, true);
-      })();
-    </script>
   </head>
   <body
+    hx-headers='{"X-CSRF-Token": "{{ csrf_token() }}"}'
     x-data="{ showSidebar: false }"
     class="min-h-screen bg-surface text-on-surface antialiased dark:bg-surface-dark dark:text-on-surface-dark">
 
@@ -126,6 +97,7 @@
           {{ t(key="admin-exit", lang=lang | default(value='sk')) }}
         </a>
         <form method="post" action="/logout">
+          {{ ui::csrf_field() }}
           <button type="submit" class="flex w-full items-center gap-2 rounded-radius px-2 py-1.5 text-left text-sm font-medium text-danger underline-offset-2 transition hover:bg-danger/5 focus:outline-hidden focus-visible:underline">
             {{ t(key="logout", lang=lang | default(value='sk')) }}
           </button>
diff --git a/assets/views/admin/catalog/categories.html b/assets/views/admin/catalog/categories.html
index 7402e24..ea739c2 100644
--- a/assets/views/admin/catalog/categories.html
+++ b/assets/views/admin/catalog/categories.html
@@ -46,6 +46,7 @@
             {{ ui::button(variant="outline-secondary", label=t(key="edit", lang=lang | default(value='sk')), href="/admin/catalog/categories/" ~ row.category.id ~ "/edit", size="px-3 py-1.5 text-xs") }}
             <form method="post" action="/admin/catalog/categories/{{ row.category.id }}/delete"
               onsubmit="return confirm('{{ t(key="confirm-delete", lang=lang | default(value='sk')) }}')">
+  {{ ui::csrf_field() }}
               {{ ui::button(variant="outline-danger", label=t(key="delete", lang=lang | default(value='sk')), type="submit", size="px-3 py-1.5 text-xs") }}
             </form>
           </div>
diff --git a/assets/views/admin/catalog/category_form.html b/assets/views/admin/catalog/category_form.html
index abd494f..abcfe45 100644
--- a/assets/views/admin/catalog/category_form.html
+++ b/assets/views/admin/catalog/category_form.html
@@ -15,6 +15,7 @@
 <form method="post" enctype="multipart/form-data"
   action="{% if category %}/admin/catalog/categories/{{ category.id }}{% else %}/admin/catalog/categories{% endif %}"
   class="mt-6 space-y-5 rounded-radius border border-outline bg-surface p-6 dark:border-outline-dark dark:bg-surface-dark-alt">
+  {{ ui::csrf_field() }}
 
   {% if category %}
     {% set v_name = category.name %}{% set v_slug = category.slug %}{% set v_pos = category.position %}{% set v_desc = category.description | default(value="") %}{% set v_pub = category.published %}
diff --git a/assets/views/admin/catalog/product_form.html b/assets/views/admin/catalog/product_form.html
index a6936ad..e4da665 100644
--- a/assets/views/admin/catalog/product_form.html
+++ b/assets/views/admin/catalog/product_form.html
@@ -15,6 +15,7 @@
 <form method="post" enctype="multipart/form-data"
   action="{% if product %}/admin/catalog/products/{{ product.id }}{% else %}/admin/catalog/products{% endif %}"
   class="mt-6 space-y-5 rounded-radius border border-outline bg-surface p-6 dark:border-outline-dark dark:bg-surface-dark-alt">
+  {{ ui::csrf_field() }}
 
   {% if product %}
     {% set v_name = product.name %}{% set v_price = product.price %}{% set v_currency = product.currency %}{% set v_stock = product.stock %}{% set v_sku = product.sku | default(value="") %}{% set v_slug = product.slug %}{% set v_desc = product.description | default(value="") %}{% set v_pub = product.published %}
diff --git a/assets/views/admin/catalog/products.html b/assets/views/admin/catalog/products.html
index 9c20de7..f8d70c2 100644
--- a/assets/views/admin/catalog/products.html
+++ b/assets/views/admin/catalog/products.html
@@ -56,6 +56,7 @@
             {{ ui::button(variant="outline-secondary", label=t(key="view", lang=lang | default(value='sk')), href="/shop/" ~ product.slug, size="px-3 py-1.5 text-xs") }}
             <form method="post" action="/admin/catalog/products/{{ product.id }}/delete"
               onsubmit="return confirm('{{ t(key="confirm-delete", lang=lang | default(value='sk')) }}')">
+  {{ ui::csrf_field() }}
               {{ ui::button(variant="outline-danger", label=t(key="delete", lang=lang | default(value='sk')), type="submit", size="px-3 py-1.5 text-xs") }}
             </form>
           </div>
diff --git a/assets/views/admin/orders/show.html b/assets/views/admin/orders/show.html
index aa7bb89..ef3fd25 100644
--- a/assets/views/admin/orders/show.html
+++ b/assets/views/admin/orders/show.html
@@ -110,6 +110,7 @@
       <p class="text-on-surface/70 dark:text-on-surface-dark/70">{{ t(key="order-send-hint", lang=lang | default(value='sk')) }}</p>
       <form method="post" action="/admin/orders/{{ order.id }}/ship"
         onsubmit="return confirm('{{ t(key="order-send-confirm", lang=lang | default(value='sk')) }}')">
+  {{ ui::csrf_field() }}
         {% set carrier_up = carrier | upper %}
         {% set ship_label = t(key="order-send-to-carrier", lang=lang | default(value='sk')) ~ " " ~ carrier_up %}
         {{ ui::button(label=ship_label, type="submit", extra="w-full") }}
@@ -118,6 +119,7 @@
     </div>
 
     <form method="post" action="/admin/orders/{{ order.id }}/status" class="space-y-3 rounded-radius border border-outline bg-surface p-5 dark:border-outline-dark dark:bg-surface-dark-alt">
+  {{ ui::csrf_field() }}
       <label for="status" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="order-status", lang=lang | default(value='sk')) }}</label>
       <div class="relative">
         <select id="status" name="status"
diff --git a/assets/views/admin/shipping/index.html b/assets/views/admin/shipping/index.html
index 22ba334..1fad714 100644
--- a/assets/views/admin/shipping/index.html
+++ b/assets/views/admin/shipping/index.html
@@ -14,6 +14,7 @@
   {% for method in methods %}
   <form method="post" action="/admin/shipping/{{ method.id }}"
     class="flex flex-wrap items-end gap-4 rounded-radius border border-outline bg-surface p-5 dark:border-outline-dark dark:bg-surface-dark-alt">
+  {{ ui::csrf_field() }}
     <div class="min-w-40">
       <p class="font-semibold text-on-surface-strong dark:text-on-surface-dark-strong">{{ method.name }}</p>
       <p class="text-xs text-on-surface/60 dark:text-on-surface-dark/60">{{ method.carrier | upper }}{% if method.requires_pickup_point %} · {{ t(key="checkout-pickup-point", lang=lang | default(value='sk')) }}{% endif %}</p>
diff --git a/assets/views/auth/login.html b/assets/views/auth/login.html
index be04a7f..0f57aa3 100644
--- a/assets/views/auth/login.html
+++ b/assets/views/auth/login.html
@@ -30,6 +30,7 @@
       {% endif %}
 
       <form method="post" action="/login" hx-boost="false" class="mt-4 flex flex-col gap-4">
+        {{ ui::csrf_field() }}
         <div class="flex flex-col gap-1">
           <label for="email"
             class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">
diff --git a/assets/views/auth/login_totp.html b/assets/views/auth/login_totp.html
index ea895b1..f5eda3b 100644
--- a/assets/views/auth/login_totp.html
+++ b/assets/views/auth/login_totp.html
@@ -28,6 +28,7 @@
       {% endif %}
 
       <form method="post" action="/login/totp" hx-boost="false" class="mt-4 flex flex-col gap-4">
+  {{ ui::csrf_field() }}
         <div class="flex flex-col gap-1">
           <label for="code"
             class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">
diff --git a/assets/views/auth/register.html b/assets/views/auth/register.html
index 605c115..2bdc49d 100644
--- a/assets/views/auth/register.html
+++ b/assets/views/auth/register.html
@@ -32,6 +32,7 @@
 
       <form method="post" action="/register" hx-boost="false" class="mt-4 flex flex-col gap-4"
         x-data="{ password: '', confirm: '' }">
+  {{ ui::csrf_field() }}
         <div class="flex flex-col gap-1.5">
           <span class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="account-type", lang=lang | default(value='sk')) }}</span>
           <div class="grid grid-cols-2 gap-2">
diff --git a/assets/views/auth/resend_verification.html b/assets/views/auth/resend_verification.html
index 98cddde..03428e2 100644
--- a/assets/views/auth/resend_verification.html
+++ b/assets/views/auth/resend_verification.html
@@ -24,6 +24,7 @@
       {% else %}
       <p class="mt-1 text-sm text-on-surface/70 dark:text-on-surface-dark/70">{{ t(key="resend-verification-intro", lang=lang | default(value='sk')) }}</p>
       <form method="post" action="/resend-verification" hx-boost="false" class="mt-4 flex flex-col gap-4">
+  {{ ui::csrf_field() }}
         <div class="flex flex-col gap-1">
           <label for="email" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="login-email", lang=lang | default(value='sk')) }}</label>
           {{ ui::input(name="email", id="email", type="email", required=true, autocomplete="email", attrs="autofocus") }}
diff --git a/assets/views/auth/set_password.html b/assets/views/auth/set_password.html
index 95057b4..f6e017e 100644
--- a/assets/views/auth/set_password.html
+++ b/assets/views/auth/set_password.html
@@ -29,6 +29,7 @@
       {% endif %}
 
       <form method="post" action="/set-password" hx-boost="false" class="mt-4 flex flex-col gap-4">
+  {{ ui::csrf_field() }}
         <input type="hidden" name="token" value="{{ token }}">
         <div class="flex flex-col gap-1">
           <label for="password" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="set-password-new", lang=lang | default(value='sk')) }}</label>
diff --git a/assets/views/base.html b/assets/views/base.html
index f998068..4db41b4 100644
--- a/assets/views/base.html
+++ b/assets/views/base.html
@@ -67,38 +67,9 @@
          required by the Penguin UI keyboard-accessible dropdowns. -->
     <script defer src="/static/vendor/alpine/alpine-focus-3.14.9.min.js"></script>
     <script defer src="/static/vendor/alpine/alpinejs-3.14.9.min.js"></script>
-    <!-- CSRF: echo the signed `csrf_token` cookie back on every unsafe request.
-         htmx requests get it as an X-CSRF-Token header; native <form> submits
-         (hx-boost="false") can't set a header, so a hidden _csrf field is
-         injected instead. Server side: shared::csrf::protect. -->
-    <script>
-      (function () {
-        function csrfToken() {
-          var m = document.cookie.split('; ').find(function (c) { return c.indexOf('csrf_token=') === 0; });
-          return m ? decodeURIComponent(m.split('=').slice(1).join('=')) : '';
-        }
-        document.addEventListener('htmx:configRequest', function (e) {
-          var t = csrfToken();
-          if (t) e.detail.headers['X-CSRF-Token'] = t;
-        });
-        document.addEventListener('submit', function (e) {
-          var form = e.target;
-          if (!form || (form.method || '').toLowerCase() !== 'post') return;
-          var t = csrfToken();
-          if (!t) return;
-          var input = form.querySelector('input[name="_csrf"]');
-          if (!input) {
-            input = document.createElement('input');
-            input.type = 'hidden';
-            input.name = '_csrf';
-            form.appendChild(input);
-          }
-          input.value = t;
-        }, true);
-      })();
-    </script>
   </head>
   <body hx-boost="true"
+    hx-headers='{"X-CSRF-Token": "{{ csrf_token() }}"}'
     x-data="{ cats: false, lg: window.matchMedia('(min-width: 1024px)').matches }"
     x-init="window.matchMedia('(min-width: 1024px)').addEventListener('change', e => lg = e.matches)"
     class="min-h-screen bg-surface text-on-surface antialiased dark:bg-surface-dark dark:text-on-surface-dark">
@@ -121,6 +92,7 @@
           <li>{{ ui::nav_link(label=t(key="admin-title", lang=lang | default(value='sk')), href="/admin/dashboard", data_nav="/admin", variant="warning", attrs='hx-boost="false"') }}</li>
           <li>
             <form method="post" action="/logout" hx-boost="false">
+  {{ ui::csrf_field() }}
               <button type="submit" class="text-sm font-medium text-danger underline-offset-2 transition hover:opacity-75 focus:outline-hidden focus-visible:underline">{{ t(key="logout", lang=lang | default(value='sk')) }}</button>
             </form>
           </li>
@@ -193,6 +165,7 @@
           <li><a href="/admin/dashboard" hx-boost="false" data-nav="/admin" class="block rounded-radius px-3 py-2 text-sm font-medium text-warning underline-offset-2 transition hover:bg-primary/5 focus:outline-hidden focus-visible:underline">{{ t(key="admin-title", lang=lang | default(value='sk')) }}</a></li>
           <li>
             <form method="post" action="/logout" hx-boost="false">
+  {{ ui::csrf_field() }}
               <button type="submit" class="block w-full rounded-radius px-3 py-2 text-left text-sm font-medium text-danger underline-offset-2 transition hover:bg-primary/5 focus:outline-hidden focus-visible:underline">{{ t(key="logout", lang=lang | default(value='sk')) }}</button>
             </form>
           </li>
@@ -200,6 +173,7 @@
           <li><a href="/account/profile" data-nav="/account" class="block rounded-radius px-3 py-2 text-sm font-medium text-on-surface underline-offset-2 transition hover:bg-primary/5 hover:text-primary focus:outline-hidden focus-visible:underline aria-[current=page]:font-semibold aria-[current=page]:bg-primary/10 aria-[current=page]:text-primary dark:text-on-surface-dark dark:hover:text-primary-dark dark:aria-[current=page]:text-primary-dark">{{ t(key="nav-profile", lang=lang | default(value='sk')) }}</a></li>
           <li>
             <form method="post" action="/logout" hx-boost="false">
+  {{ ui::csrf_field() }}
               <button type="submit" class="block w-full rounded-radius px-3 py-2 text-left text-sm font-medium text-danger underline-offset-2 transition hover:bg-primary/5 focus:outline-hidden focus-visible:underline">{{ t(key="logout", lang=lang | default(value='sk')) }}</button>
             </form>
           </li>
@@ -229,6 +203,7 @@
           <li><a href="/account/security" data-nav="/account/security" class="block rounded-radius px-3 py-2 text-sm font-medium text-on-surface underline-offset-2 transition hover:bg-primary/5 hover:text-primary focus:outline-hidden focus-visible:underline aria-[current=page]:font-semibold aria-[current=page]:bg-primary/10 aria-[current=page]:text-primary dark:text-on-surface-dark dark:hover:text-primary-dark dark:aria-[current=page]:text-primary-dark">{{ t(key="security-title", lang=lang | default(value='sk')) }}</a></li>
         </ul>
         <form method="post" action="/logout" hx-boost="false" class="mt-4 border-t border-outline pt-3 dark:border-outline-dark">
+  {{ ui::csrf_field() }}
           <button type="submit" class="block w-full rounded-radius px-3 py-2 text-left text-sm font-medium text-danger underline-offset-2 transition hover:bg-primary/5 focus:outline-hidden focus-visible:underline">{{ t(key="logout", lang=lang | default(value='sk')) }}</button>
         </form>
       </aside>
diff --git a/assets/views/macros/ui.html b/assets/views/macros/ui.html
index 6dffda6..8ff8e71 100644
--- a/assets/views/macros/ui.html
+++ b/assets/views/macros/ui.html
@@ -29,6 +29,13 @@
        outline : outline-primary | outline-secondary | outline-alternate | outline-danger
        ghost   : ghost-primary | ghost-secondary | ghost-danger #}
 
+{# CSRF hidden field for native (non-htmx) <form method="post"> submits. htmx
+   requests instead inherit the X-CSRF-Token header from <body hx-headers>.
+   `csrf_token()` is a global Tera function bound per-request by shared::csrf. #}
+{% macro csrf_field() -%}
+<input type="hidden" name="_csrf" value="{{ csrf_token() }}">
+{%- endmacro %}
+
 {% macro button(label, variant="primary", type="button", href="", attrs="", extra="", icon="", size="px-4 py-2 text-sm") -%}
 {%- if variant == "secondary" -%}{% set cls = "border border-secondary bg-secondary text-on-secondary focus-visible:outline-secondary dark:border-secondary-dark dark:bg-secondary-dark dark:text-on-secondary-dark dark:focus-visible:outline-secondary-dark" -%}
 {%- elif variant == "danger" -%}{% set cls = "border border-danger bg-danger text-on-danger focus-visible:outline-danger dark:bg-danger dark:border-danger dark:text-on-danger dark:focus-visible:outline-danger" -%}
diff --git a/assets/views/partials/profile_menu.html b/assets/views/partials/profile_menu.html
index ac6a8f6..85662f6 100644
--- a/assets/views/partials/profile_menu.html
+++ b/assets/views/partials/profile_menu.html
@@ -68,7 +68,8 @@
     </div>
     <!-- logout -->
     <div class="flex flex-col py-1.5">
-      <form method="post" action="/logout" hx-boost="false"><button type="submit" role="menuitem" class="flex w-full items-center gap-2 bg-surface-alt px-4 py-2 text-left text-sm text-on-surface hover:bg-surface-dark-alt/5 hover:text-on-surface-strong focus-visible:bg-surface-dark-alt/10 focus-visible:text-on-surface-strong focus-visible:outline-hidden dark:bg-surface-dark-alt dark:text-on-surface-dark dark:hover:bg-surface-alt/5 dark:hover:text-on-surface-dark-strong dark:focus-visible:bg-surface-alt/10 dark:focus-visible:text-on-surface-dark-strong">
+      <form method="post" action="/logout" hx-boost="false">
+  <input type="hidden" name="_csrf" value="{{ csrf_token() }}"><button type="submit" role="menuitem" class="flex w-full items-center gap-2 bg-surface-alt px-4 py-2 text-left text-sm text-on-surface hover:bg-surface-dark-alt/5 hover:text-on-surface-strong focus-visible:bg-surface-dark-alt/10 focus-visible:text-on-surface-strong focus-visible:outline-hidden dark:bg-surface-dark-alt dark:text-on-surface-dark dark:hover:bg-surface-alt/5 dark:hover:text-on-surface-dark-strong dark:focus-visible:bg-surface-alt/10 dark:focus-visible:text-on-surface-dark-strong">
         <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" aria-hidden="true" fill="currentColor" class="size-4 shrink-0"><path fill-rule="evenodd" d="M7.5 3.75A1.5 1.5 0 006 5.25v13.5a1.5 1.5 0 001.5 1.5h6a1.5 1.5 0 001.5-1.5V15a.75.75 0 011.5 0v3.75a3 3 0 01-3 3h-6a3 3 0 01-3-3V5.25a3 3 0 013-3h6a3 3 0 013 3V9A.75.75 0 0115 9V5.25a1.5 1.5 0 00-1.5-1.5h-6zm10.72 4.72a.75.75 0 011.06 0l3 3a.75.75 0 010 1.06l-3 3a.75.75 0 11-1.06-1.06l1.72-1.72H9a.75.75 0 010-1.5h10.94l-1.72-1.72a.75.75 0 010-1.06z" clip-rule="evenodd"/></svg>
         {{ t(key="logout", lang=lang | default(value='sk')) }}
       </button></form>
diff --git a/assets/views/partials/settings_dropdown.html b/assets/views/partials/settings_dropdown.html
index 6a5da1b..e3c3561 100644
--- a/assets/views/partials/settings_dropdown.html
+++ b/assets/views/partials/settings_dropdown.html
@@ -20,6 +20,7 @@
   class="absolute right-0 mt-2 flex w-56 flex-col overflow-hidden rounded-radius border border-outline bg-surface-alt py-1 shadow-lg dark:border-outline-dark dark:bg-surface-dark-alt"
   role="menu">
   <form method="post" action="/lang" hx-boost="false">
+  <input type="hidden" name="_csrf" value="{{ csrf_token() }}">
     <p class="px-4 py-1.5 text-xs font-semibold uppercase tracking-wide text-on-surface/60 dark:text-on-surface-dark/60">
       {{ t(key="settings-language", lang=lang | default(value='sk')) }}
     </p>
diff --git a/assets/views/shop/_card.html b/assets/views/shop/_card.html
index d85aa54..6b6fa18 100644
--- a/assets/views/shop/_card.html
+++ b/assets/views/shop/_card.html
@@ -26,6 +26,7 @@
     <p class="text-xs text-on-surface/60 dark:text-on-surface-dark/60">{{ t(key="in-stock", lang=lang | default(value='sk')) }}: {{ product.stock }}</p>
     <form method="post" action="/cart/add" hx-post="/cart/add" hx-swap="none"
       hx-on::after-request="if (event.detail.successful) toast('{{ t(key='cart-added', lang=lang | default(value='sk')) }}')">
+  <input type="hidden" name="_csrf" value="{{ csrf_token() }}">
       <input type="hidden" name="product_id" value="{{ product.id }}">
       <input type="hidden" name="quantity" value="1">
       {{ ui::button(label=t(key="add-to-cart", lang=lang | default(value='sk')), type="submit", extra="w-full", icon='<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" fill="currentColor" aria-hidden="true" class="size-3.5"><path fill-rule="evenodd" d="M5 4a3 3 0 0 1 6 0v1h.643a1.5 1.5 0 0 1 1.492 1.35l.7 7A1.5 1.5 0 0 1 12.342 15H3.657a1.5 1.5 0 0 1-1.492-1.65l.7-7A1.5 1.5 0 0 1 4.357 5H5V4Zm4.5 0v1h-3V4a1.5 1.5 0 0 1 3 0Zm-3 3.75a.75.75 0 0 0-1.5 0v1a3 3 0 1 0 6 0v-1a.75.75 0 0 0-1.5 0v1a1.5 1.5 0 1 1-3 0v-1Z" clip-rule="evenodd" /></svg>') }}
diff --git a/assets/views/shop/_cart_body.html b/assets/views/shop/_cart_body.html
index 764f2b3..d04dd01 100644
--- a/assets/views/shop/_cart_body.html
+++ b/assets/views/shop/_cart_body.html
@@ -27,6 +27,7 @@
              reverting to the previous quantity if the customer cancels. #}
           <form method="post" action="/cart/update"
             hx-post="/cart/update" hx-trigger="cartchange" hx-target="#cart-body" hx-swap="innerHTML">
+  {{ ui::csrf_field() }}
             <input type="hidden" name="product_id" value="{{ item.id }}">
             <input type="number" name="quantity" min="0" max="{{ item.stock }}" value="{{ item.quantity }}"
               @change="
@@ -43,6 +44,7 @@
         <td class="px-4 py-3 text-right">
           <form method="post" action="/cart/remove"
             hx-post="/cart/remove" hx-target="#cart-body" hx-swap="innerHTML">
+  {{ ui::csrf_field() }}
             <input type="hidden" name="product_id" value="{{ item.id }}">
             {{ ui::button(variant="ghost-danger", label=t(key="cart-remove", lang=lang | default(value='sk')), type="submit", size="px-2 py-1 text-xs") }}
           </form>
diff --git a/assets/views/shop/checkout.html b/assets/views/shop/checkout.html
index 194b7dd..a1b650c 100644
--- a/assets/views/shop/checkout.html
+++ b/assets/views/shop/checkout.html
@@ -21,7 +21,8 @@
     packetaKey: '{{ packeta_api_key }}',
     fmt(c) { return (c / 100).toFixed(2) },
     pickPoint() {
-      Packeta.Widget.pick(this.packetaKey, (point) => {
+      Packeta.Widget.pick(this.packetaKey, (point) =>
+  {{ ui::csrf_field() }} {
         if (point) { this.pointId = String(point.id); this.pointName = point.formatedValue || point.name }
       })
     },
diff --git a/assets/views/shop/show.html b/assets/views/shop/show.html
index bc30d5e..010e92b 100644
--- a/assets/views/shop/show.html
+++ b/assets/views/shop/show.html
@@ -63,6 +63,7 @@
     {% if product.stock > 0 %}
     <form method="post" action="/cart/add" hx-post="/cart/add" hx-swap="none" class="flex flex-wrap items-end gap-3"
       hx-on::after-request="if (event.detail.successful) toast('{{ t(key='cart-added', lang=lang | default(value='sk')) }}')">
+  {{ ui::csrf_field() }}
       <input type="hidden" name="product_id" value="{{ product.id }}">
       <div class="space-y-1.5">
         <label for="quantity" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="quantity", lang=lang | default(value='sk')) }}</label>
diff --git a/src/initializers/view_engine.rs b/src/initializers/view_engine.rs
index 7571cf9..5be7e90 100644
--- a/src/initializers/view_engine.rs
+++ b/src/initializers/view_engine.rs
@@ -6,6 +6,7 @@ use loco_rs::{
     controller::views::{engines, ViewEngine},
     Error, Result,
 };
+use std::collections::HashMap;
 use tracing::info;
 
 const I18N_DIR: &str = "assets/i18n";
@@ -35,10 +36,27 @@ impl Initializer for ViewEngineInitializer {
 
             engines::TeraView::build()?.post_process(move |tera| {
                 tera.register_function("t", FluentLoader::new(arc.clone()));
+                // `csrf_token()`: the in-flight request's CSRF token (bound by
+                // `shared::csrf::protect`), rendered into `<body hx-headers>`
+                // and `ui::csrf_field()`. Inlined so its `tera::Error` return is
+                // inferred from `register_function` — we never name a `tera`
+                // type, keeping it off our direct deps and pinned to loco's.
+                tera.register_function("csrf_token", |_args: &HashMap<String, serde_json::Value>| {
+                    Ok(serde_json::Value::String(
+                        crate::shared::csrf::current_token().unwrap_or_default(),
+                    ))
+                });
                 Ok(())
             })?
         } else {
-            engines::TeraView::build()?
+            engines::TeraView::build()?.post_process(|tera| {
+                tera.register_function("csrf_token", |_args: &HashMap<String, serde_json::Value>| {
+                    Ok(serde_json::Value::String(
+                        crate::shared::csrf::current_token().unwrap_or_default(),
+                    ))
+                });
+                Ok(())
+            })?
         };
 
         Ok(router.layer(Extension(ViewEngine::from(tera_engine))))
diff --git a/src/shared/csrf.rs b/src/shared/csrf.rs
index 1fab61b..6456792 100644
--- a/src/shared/csrf.rs
+++ b/src/shared/csrf.rs
@@ -56,6 +56,22 @@ const COOKIE_MAX_AGE_SECS: i64 = 60 * 60 * 24 * 14;
 /// fields); anything bigger is rejected rather than buffered.
 const MAX_BODY_BYTES: usize = 16 * 1024 * 1024;
 
+tokio::task_local! {
+    /// CSRF token bound to the in-flight request. [`protect`] sets it so the
+    /// `csrf_token()` Tera function can render it into pages (the `hx-headers`
+    /// on `<body>` and the `ui::csrf_field()` hidden input) without every
+    /// controller having to thread it through the view context.
+    static REQUEST_TOKEN: String;
+}
+
+/// The CSRF token for the current request task, if one is bound. Returns `None`
+/// outside a request (e.g. a mailer rendering a template). Used by the
+/// `csrf_token()` Tera function registered in the view engine.
+#[must_use]
+pub fn current_token() -> Option<String> {
+    REQUEST_TOKEN.try_with(String::clone).ok()
+}
+
 type HmacSha256 = Hmac<Sha256>;
 
 fn to_hex(bytes: &[u8]) -> String {
@@ -110,9 +126,9 @@ fn forbidden(reason: &str) -> Response {
     (StatusCode::FORBIDDEN, "CSRF validation failed").into_response()
 }
 
-/// Attach a freshly minted token cookie to an outgoing response.
-fn set_fresh_cookie(res: &mut Response, secret: &str) {
-    let cookie = issue_cookie(make_token(secret));
+/// Attach the given token to an outgoing response as the `csrf_token` cookie.
+fn attach_cookie(res: &mut Response, token: &str) {
+    let cookie = issue_cookie(token.to_string());
     if let Ok(value) = cookie.encoded().to_string().parse() {
         res.headers_mut().append(header::SET_COOKIE, value);
     }
@@ -171,9 +187,12 @@ pub async fn protect(
     let exempt = req.uri().path().starts_with("/api/");
 
     if is_safe || exempt {
-        let mut res = next.run(req).await;
+        // Bind a token for the page to render even on the very first visit, and
+        // persist that same token in the cookie so the later submit matches.
+        let token = cookie_token.clone().unwrap_or_else(|| make_token(&secret));
+        let mut res = REQUEST_TOKEN.scope(token.clone(), next.run(req)).await;
         if cookie_token.is_none() {
-            set_fresh_cookie(&mut res, &secret);
+            attach_cookie(&mut res, &token);
         }
         return res;
     }
@@ -185,9 +204,14 @@ pub async fn protect(
 
     // htmx and other scripted requests send the token as a header; prefer it so
     // we never have to touch the body.
-    if let Some(header_token) = req.headers().get(CSRF_HEADER).and_then(|v| v.to_str().ok()) {
-        if tokens_match(header_token, &expected) {
-            return next.run(req).await;
+    let header_token = req
+        .headers()
+        .get(CSRF_HEADER)
+        .and_then(|v| v.to_str().ok())
+        .map(str::to_string);
+    if let Some(header_token) = header_token {
+        if tokens_match(&header_token, &expected) {
+            return REQUEST_TOKEN.scope(expected, next.run(req)).await;
         }
         return forbidden("CSRF header did not match cookie");
     }
@@ -221,7 +245,8 @@ pub async fn protect(
         return forbidden("missing or non-matching CSRF form field");
     }
 
-    next.run(Request::from_parts(parts, Body::from(bytes))).await
+    let req = Request::from_parts(parts, Body::from(bytes));
+    REQUEST_TOKEN.scope(expected, next.run(req)).await
 }
 
 #[cfg(test)]