diff --git a/admin_menu.inc b/admin_menu.inc
index 31cbab1..8152584 100644
--- a/admin_menu.inc
+++ b/admin_menu.inc
@@ -464,6 +464,10 @@ function _admin_menu_devel_settings_form_alter(&$form, $form_state) {
  * on larger Drupal sites this is actually a 10% performance increase.
  */
 function admin_menu_toggle_modules() {
+  // URL token prtects this against CSRF attacks.
+  if(!isset($_GET['token']) || ($_GET['token'] !== drupal_get_token($_GET['q']))) {
+    return MENU_ACCESS_DENIED;
+  }
   $rebuild = FALSE;
   $saved_state = variable_get('admin_menu_devel_modules_enabled', NULL);
   if (isset($saved_state)) {
@@ -511,6 +515,10 @@ function admin_menu_toggle_modules() {
  *   (optional) Name of cache to flush.
  */
 function admin_menu_flush_cache($name = NULL) {
+  // URL token protects this against CSRF attacks.
+  if(!isset($_GET['token']) || ($_GET['token'] !== drupal_get_token($_GET['q']))) {
+    return MENU_ACCESS_DENIED;
+  }
   switch ($name) {
     case 'admin_menu':
       admin_menu_wipe();
diff --git a/admin_menu.module b/admin_menu.module
index e7d87b8..d1ab299 100644
--- a/admin_menu.module
+++ b/admin_menu.module
@@ -290,9 +290,11 @@ function admin_menu_translated_menu_link_alter(&$item, $map) {
   // Fix destination query strings
   if (isset($item['localized_options']['query'])) {
     if ($item['localized_options']['query'] == 'destination') {
-      $item['localized_options']['query'] = drupal_get_destination();
+      // URL token protects the link against CSRF attacks.
+      $item['localized_options']['query'] = drupal_get_destination() . '&token=' . drupal_get_token($item['link_path']);
     }
   }
+
   if ($extra = variable_get('admin_menu_display', 0)) {
     $item['title'] .= ' '. $extra[0] .': '. $item[$extra];
   }