diff --git a/app/controllers/HomeController.php b/app/controllers/HomeController.php
index fc58fe2..f6e483b 100644
--- a/app/controllers/HomeController.php
+++ b/app/controllers/HomeController.php
@@ -41,7 +41,20 @@ class HomeController extends Controller
             $formData = ['fname' => '', 'lname' => '', 'email' => '', 'phone' => '', 'interest' => 'Besichtigung anfragen', 'message' => ''];
         }
 
+        // CSRF-Token generieren (nach Session-Start)
+        if (empty($_SESSION['csrf_token'])) {
+            $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
+        }
+
         if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+            // CSRF-Token validieren
+            $csrfToken = $_POST['csrf_token'] ?? '';
+            if (!hash_equals($_SESSION['csrf_token'] ?? '', $csrfToken)) {
+                header('Location: /#form-result');
+                $_SESSION['form_errors'] = ['Sicherheitsüberprüfung fehlgeschlagen. Bitte versuchen Sie es erneut.'];
+                exit;
+            }
+
             $formData['fname']    = $normalizeContactValue((string) ($_POST['fname'] ?? ''));
             $formData['lname']    = $normalizeContactValue((string) ($_POST['lname'] ?? ''));
             $formData['email']    = $normalizeContactValue((string) ($_POST['email'] ?? ''));
diff --git a/app/views/home/index.php b/app/views/home/index.php
index 6358e9f..75ddf93 100644
--- a/app/views/home/index.php
+++ b/app/views/home/index.php
@@ -434,6 +434,7 @@
           </div>
 <?php endif; ?>
           <form id="contactForm" method="post">
+            <input type="hidden" name="csrf_token" value="<?= htmlspecialchars($_SESSION['csrf_token'] ?? '') ?>" />
             <div class="form-row">
               <div class="form-field">
                 <label for="fname">Vorname</label>