diff --git a/rhodecode/apps/admin/views/sessions.py b/rhodecode/apps/admin/views/sessions.py
--- a/rhodecode/apps/admin/views/sessions.py
+++ b/rhodecode/apps/admin/views/sessions.py
@@ -68,8 +68,8 @@ class AdminSessionSettingsView(BaseAppVi
         return self._get_template_context(c)
 
     @LoginRequired()
+    @HasPermissionAllDecorator('hg.admin')
     @CSRFRequired()
-    @HasPermissionAllDecorator('hg.admin')
     @view_config(
         route_name='admin_settings_sessions_cleanup', request_method='POST')
     def settings_sessions_cleanup(self):
diff --git a/rhodecode/apps/admin/views/svn_config.py b/rhodecode/apps/admin/views/svn_config.py
--- a/rhodecode/apps/admin/views/svn_config.py
+++ b/rhodecode/apps/admin/views/svn_config.py
@@ -33,8 +33,8 @@ log = logging.getLogger(__name__)
 class SvnConfigAdminSettingsView(BaseAppView):
 
     @LoginRequired()
+    @HasPermissionAllDecorator('hg.admin')
     @CSRFRequired()
-    @HasPermissionAllDecorator('hg.admin')
     @view_config(
         route_name='admin_settings_vcs_svn_generate_cfg',
         request_method='POST', renderer='json')
diff --git a/rhodecode/apps/admin/views/users.py b/rhodecode/apps/admin/views/users.py
--- a/rhodecode/apps/admin/views/users.py
+++ b/rhodecode/apps/admin/views/users.py
@@ -251,6 +251,7 @@ class AdminUsersView(BaseAppView, DataGr
 
     @LoginRequired()
     @HasPermissionAllDecorator('hg.admin')
+    @CSRFRequired()
     @view_config(
         route_name='edit_user_groups_management_updates', request_method='POST')
     def groups_management_updates(self):
diff --git a/rhodecode/apps/repository/views/repo_caches.py b/rhodecode/apps/repository/views/repo_caches.py
--- a/rhodecode/apps/repository/views/repo_caches.py
+++ b/rhodecode/apps/repository/views/repo_caches.py
@@ -24,7 +24,8 @@ from pyramid.httpexceptions import HTTPF
 from pyramid.view import view_config
 
 from rhodecode.apps._base import RepoAppView
-from rhodecode.lib.auth import LoginRequired, HasRepoPermissionAnyDecorator
+from rhodecode.lib.auth import LoginRequired, HasRepoPermissionAnyDecorator, \
+    CSRFRequired
 from rhodecode.lib import helpers as h
 from rhodecode.model.meta import Session
 from rhodecode.model.scm import ScmModel
@@ -55,6 +56,7 @@ class RepoCachesView(RepoAppView):
 
     @LoginRequired()
     @HasRepoPermissionAnyDecorator('repository.admin')
+    @CSRFRequired()
     @view_config(
         route_name='edit_repo_caches', request_method='POST')
     def repo_caches_purge(self):
diff --git a/rhodecode/apps/repository/views/repo_settings_advanced.py b/rhodecode/apps/repository/views/repo_settings_advanced.py
--- a/rhodecode/apps/repository/views/repo_settings_advanced.py
+++ b/rhodecode/apps/repository/views/repo_settings_advanced.py
@@ -73,6 +73,7 @@ class RepoSettingsView(RepoAppView):
 
     @LoginRequired()
     @HasRepoPermissionAnyDecorator('repository.admin')
+    @CSRFRequired()
     @view_config(
         route_name='edit_repo_advanced_delete', request_method='POST',
         renderer='rhodecode:templates/admin/repos/repo_edit.mako')
diff --git a/rhodecode/apps/repository/views/repo_strip.py b/rhodecode/apps/repository/views/repo_strip.py
--- a/rhodecode/apps/repository/views/repo_strip.py
+++ b/rhodecode/apps/repository/views/repo_strip.py
@@ -25,7 +25,7 @@ from rhodecode.apps._base import RepoApp
 from rhodecode.lib import audit_logger
 from rhodecode.lib import helpers as h
 from rhodecode.lib.auth import (LoginRequired, HasRepoPermissionAnyDecorator,
-    NotAnonymous)
+                                NotAnonymous, CSRFRequired)
 from rhodecode.lib.ext_json import json
 
 log = logging.getLogger(__name__)
@@ -55,6 +55,7 @@ class StripView(RepoAppView):
 
     @LoginRequired()
     @HasRepoPermissionAnyDecorator('repository.admin')
+    @CSRFRequired()
     @view_config(
         route_name='strip_check', request_method='POST',
         renderer='json', xhr=True)
@@ -80,6 +81,7 @@ class StripView(RepoAppView):
 
     @LoginRequired()
     @HasRepoPermissionAnyDecorator('repository.admin')
+    @CSRFRequired()
     @view_config(
         route_name='strip_execute', request_method='POST',
         renderer='json', xhr=True)
diff --git a/rhodecode/templates/admin/repos/repo_edit_strip.mako b/rhodecode/templates/admin/repos/repo_edit_strip.mako
--- a/rhodecode/templates/admin/repos/repo_edit_strip.mako
+++ b/rhodecode/templates/admin/repos/repo_edit_strip.mako
@@ -104,7 +104,9 @@ delOld = function(number){
 
 };
 
-var result_data;
+var resultData = {
+    'csrf_token': CSRF_TOKEN
+};
 
 checkCommits = function() {
     var postData = $('form').serialize();
@@ -116,14 +118,16 @@ checkCommits = function() {
     btn.addClass('disabled');
 
     var success = function (data) {
-        result_data = {};
+        resultData = {
+            'csrf_token': CSRF_TOKEN
+        };
         var i = 0;
         var result = '<ol>';
         $.each(data, function(index, value){
             i= index;
             var box = $('#box-'+index);
             if (value.rev){
-                result_data[index] = JSON.stringify(value);
+                resultData[index] = JSON.stringify(value);
 
                 var verifiedHtml = (
                         '<li style="line-height:1.2em">' +
@@ -185,7 +189,7 @@ strip = function() {
         $('#results').html(result);
 
     };
-    ajaxPOST(url, result_data, success, null);
+    ajaxPOST(url, resultData, success, null);
     var btn = $('#strip_action');
     btn.remove();