diff --git a/webui/index.php b/webui/index.php
index 2a1b794..fbf055b 100644
--- a/webui/index.php
+++ b/webui/index.php
@@ -74,6 +74,10 @@
 }
 else if(Registry::get('username')) {
 
+   // Check the Referer header which must be present after we are authenticated
+   if(!isset($_SERVER['HTTP_REFERER'])) die("missing HTTP_REFERER");
+   if(strpos($_SERVER['HTTP_REFERER'], SITE_URL) === false) die("invalid HTTP_REFERER");
+
    if(isset($request->get['route'])){
       $action = new Router($request->get['route']);
    }