diff --git a/beego.go b/beego.go
index 66ebf6de..d4b1cacf 100644
--- a/beego.go
+++ b/beego.go
@@ -45,7 +45,8 @@ var (
 	HttpServerTimeOut    int64  //set httpserver timeout
 	ErrorsShow           bool   //set weather show errors
 	XSRFKEY              string //set XSRF
-	CopyRequestBody      bool   //When in raw application, You want to the reqeustbody
+	EnableXSRF           bool
+	CopyRequestBody      bool //When in raw application, You want to the reqeustbody
 )
 
 func init() {
diff --git a/config.go b/config.go
index af90bb87..bc6a6b2d 100644
--- a/config.go
+++ b/config.go
@@ -192,6 +192,9 @@ func ParseConfig() (err error) {
 		if xsrfkey := AppConfig.String("xsrfkey"); xsrfkey != "" {
 			XSRFKEY = xsrfkey
 		}
+		if enablexsrf, err := AppConfig.Bool("enablexsrf"); err == nil {
+			EnableXSRF = enablexsrf
+		}
 	}
 	return nil
 }
diff --git a/controller.go b/controller.go
index a563a56b..53a5497c 100644
--- a/controller.go
+++ b/controller.go
@@ -352,7 +352,7 @@ func (c *Controller) XsrfToken() string {
 			h := hmac.New(sha1.New, []byte(XSRFKEY))
 			fmt.Fprintf(h, "%s:%d", c.Ctx.Request.RemoteAddr, time.Now().UnixNano())
 			tok := fmt.Sprintf("%s:%d", h.Sum(nil), time.Now().UnixNano())
-			token := base64.URLEncoding.EncodeToString([]byte(tok))
+			token = base64.URLEncoding.EncodeToString([]byte(tok))
 			c.Ctx.SetCookie("_xsrf", token)
 		}
 		c._xsrf_token = token
@@ -362,7 +362,6 @@ func (c *Controller) XsrfToken() string {
 
 func (c *Controller) CheckXsrfCookie() bool {
 	token := c.GetString("_xsrf")
-
 	if token == "" {
 		token = c.Ctx.Request.Header.Get("X-Xsrftoken")
 	}
diff --git a/router.go b/router.go
index 67690a8a..d606e8e0 100644
--- a/router.go
+++ b/router.go
@@ -452,6 +452,17 @@ func (p *ControllerRegistor) ServeHTTP(rw http.ResponseWriter, r *http.Request)
 		method := vc.MethodByName("Prepare")
 		method.Call(in)
 
+		//if XSRF is Enable then check cookie where there has any cookie in the  request's cookie _csrf
+		if EnableXSRF {
+			method = vc.MethodByName("XsrfToken")
+			method.Call(in)
+			if r.Method == "POST" || r.Method == "DELETE" || r.Method == "PUT" ||
+				(r.Method == "POST" && (r.Form.Get("_method") == "delete" || r.Form.Get("_method") == "put")) {
+				method = vc.MethodByName("CheckXsrfCookie")
+				method.Call(in)
+			}
+		}
+
 		//if response has written,yes don't run next
 		if !w.started {
 			if r.Method == "GET" {
@@ -581,6 +592,16 @@ func (p *ControllerRegistor) ServeHTTP(rw http.ResponseWriter, r *http.Request)
 						method.Call(in)
 						method = vc.MethodByName(mName)
 						method.Call(in)
+						//if XSRF is Enable then check cookie where there has any cookie in the  request's cookie _csrf
+						if EnableXSRF {
+							method = vc.MethodByName("XsrfToken")
+							method.Call(in)
+							if r.Method == "POST" || r.Method == "DELETE" || r.Method == "PUT" ||
+								(r.Method == "POST" && (r.Form.Get("_method") == "delete" || r.Form.Get("_method") == "put")) {
+								method = vc.MethodByName("CheckXsrfCookie")
+								method.Call(in)
+							}
+						}
 						if !w.started {
 							if AutoRender {
 								method = vc.MethodByName("Render")