diff --git a/services/web/test/acceptance/coffee/RegistrationTests.coffee b/services/web/test/acceptance/coffee/RegistrationTests.coffee
index 20ea0a31b1..313722a71b 100644
--- a/services/web/test/acceptance/coffee/RegistrationTests.coffee
+++ b/services/web/test/acceptance/coffee/RegistrationTests.coffee
@@ -69,6 +69,65 @@ describe "LoginRateLimit", ->
 			)
 
 
+describe "CSRF protection", ->
+
+	beforeEach ->
+		@user = new User()
+		@email = "test+#{Math.random()}@example.com"
+		@password = "password11"
+
+	afterEach ->
+		@user.full_delete_user(@email)
+		
+
+	it 'should register with the csrf token', (done) ->
+		@user.request.get '/login', (err, res, body) =>
+			@user.getCsrfToken (error) =>
+				@user.request.post {
+					url: "/register"
+					json:
+						email: @email
+						password: @password
+					headers:{
+						"x-csrf-token": @user.csrfToken
+					}
+				}, (error, response, body) =>
+					expect(err?).to.equal false
+					expect(response.statusCode).to.equal 200
+					done()
+
+	it 'should fail with no csrf token', (done) ->
+		@user.request.get '/login', (err, res, body) =>
+			@user.getCsrfToken (error) =>
+				@user.request.post {
+					url: "/register"
+					json:
+						email: @email
+						password: @password
+					headers:{
+						"x-csrf-token": ""
+					}
+				}, (error, response, body) =>
+					expect(response.statusCode).to.equal 403
+					done()
+
+	it 'should fail with a stale csrf token', (done) ->
+		@user.request.get '/login', (err, res, body) =>
+			@user.getCsrfToken (error) =>
+				oldCsrfToken = @user.csrfToken
+				@user.request.get '/logout', (err, res, body) =>
+					@user.request.post {
+						url: "/register"
+						json:
+							email: @email
+							password: @password
+						headers:{
+							"x-csrf-token": oldCsrfToken
+						}
+					}, (error, response, body) =>
+						expect(response.statusCode).to.equal 403
+						done()
+
 describe "LoginViaRegistration", ->
 
 	before (done) ->
diff --git a/services/web/test/acceptance/coffee/helpers/User.coffee b/services/web/test/acceptance/coffee/helpers/User.coffee
index da03cb9917..daedb996ef 100644
--- a/services/web/test/acceptance/coffee/helpers/User.coffee
+++ b/services/web/test/acceptance/coffee/helpers/User.coffee
@@ -51,6 +51,17 @@ class User
 	ensure_admin: (callback = (error) ->) ->
 		db.users.update {_id: ObjectId(@id)}, { $set: { isAdmin: true }}, callback
 
+
+	full_delete_user: (email, callback = (error) ->) ->
+		db.users.findOne {email: email}, (error, user) =>
+			if !user?
+				return callback()
+			user_id = user._id
+			db.projects.remove owner_ref:ObjectId(user_id), {multi:true}, (err)->
+				if err? 
+					callback(err)
+				db.users.remove {_id: ObjectId(user_id)}, callback
+
 	createProject: (name, callback = (error, project_id) ->) ->
 		@request.post {
 			url: "/project/new",
@@ -104,9 +115,10 @@ class User
 			csrfMatches = body.match("window.csrfToken = \"(.*?)\";")
 			if !csrfMatches?
 				return callback(new Error("no csrf token found"))
+			@csrfToken = csrfMatches[1]
 			@request = @request.defaults({
 				headers:
-					"x-csrf-token": csrfMatches[1]
+					"x-csrf-token": @csrfToken
 			})
 			callback()