diff --git a/api/add_comment.php b/api/add_comment.php
index bca3664..343fc52 100644
--- a/api/add_comment.php
+++ b/api/add_comment.php
@@ -30,6 +30,18 @@ try {
         throw new Exception("Authentication required");
     }
 
+    // CSRF Protection
+    require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';
+    if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+        $csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
+        if (!CsrfMiddleware::validateToken($csrfToken)) {
+            http_response_code(403);
+            header('Content-Type: application/json');
+            echo json_encode(['success' => false, 'error' => 'Invalid CSRF token']);
+            exit;
+        }
+    }
+
     $currentUser = $_SESSION['user'];
     $userId = $currentUser['user_id'];
 
diff --git a/api/bulk_operation.php b/api/bulk_operation.php
index 29857c8..8d06ce5 100644
--- a/api/bulk_operation.php
+++ b/api/bulk_operation.php
@@ -13,6 +13,17 @@ if (!isset($_SESSION['user']) || !isset($_SESSION['user']['user_id'])) {
     exit;
 }
 
+// CSRF Protection
+require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';
+if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+    $csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
+    if (!CsrfMiddleware::validateToken($csrfToken)) {
+        http_response_code(403);
+        echo json_encode(['success' => false, 'error' => 'Invalid CSRF token']);
+        exit;
+    }
+}
+
 // Check admin status - bulk operations are admin-only
 $isAdmin = $_SESSION['user']['is_admin'] ?? false;
 if (!$isAdmin) {
diff --git a/api/update_ticket.php b/api/update_ticket.php
index 97d86bb..f369ba4 100644
--- a/api/update_ticket.php
+++ b/api/update_ticket.php
@@ -59,6 +59,19 @@ try {
     if (!isset($_SESSION['user']) || !isset($_SESSION['user']['user_id'])) {
         throw new Exception("Authentication required");
     }
+
+    // CSRF Protection
+    require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';
+    if ($_SERVER['REQUEST_METHOD'] === 'POST' || $_SERVER['REQUEST_METHOD'] === 'PUT') {
+        $csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
+        if (!CsrfMiddleware::validateToken($csrfToken)) {
+            http_response_code(403);
+            header('Content-Type: application/json');
+            echo json_encode(['success' => false, 'error' => 'Invalid CSRF token']);
+            exit;
+        }
+    }
+
     $currentUser = $_SESSION['user'];
     $userId = $currentUser['user_id'];
     $isAdmin = $currentUser['is_admin'] ?? false;