Index: lams_central/conf/security/Owasp.CsrfGuard.properties
===================================================================
diff -u -r5e32d730e8eec97f1e9b88ee9240cd79e9ec8d9e -re2231bbf9bfe3cc5543908b808bbc60fe914a258
--- lams_central/conf/security/Owasp.CsrfGuard.properties	(.../Owasp.CsrfGuard.properties)	(revision 5e32d730e8eec97f1e9b88ee9240cd79e9ec8d9e)
+++ lams_central/conf/security/Owasp.CsrfGuard.properties	(.../Owasp.CsrfGuard.properties)	(revision e2231bbf9bfe3cc5543908b808bbc60fe914a258)
@@ -171,6 +171,8 @@
 
 org.owasp.csrfguard.protected.scratchieAuthoringSave=/lams/tool/lascrt11/authoring/update.do
 org.owasp.csrfguard.protected.scratchieAuthoringDefineLater=/lams/tool/lascrt11/authoring/definelater.do
+org.owasp.csrfguard.protected.scratchieAuthoringSaveItem=/lams/tool/lascrt11/authoring/saveItem.do
+org.owasp.csrfguard.protected.scratchieAuthoringRemoveItem=/lams/tool/lascrt11/authoring/removeItem.do
 org.owasp.csrfguard.protected.scratchieMonitoringSubmissionDeadline=/lams/tool/lascrt11/monitoring/setSubmissionDeadline.do
 org.owasp.csrfguard.protected.scratchieSaveUserMark=/lams/tool/lascrt11/monitoring/saveUserMark.do
 
Index: lams_tool_scratchie/src/java/org/lamsfoundation/lams/tool/scratchie/web/controller/AuthoringController.java
===================================================================
diff -u -r845b503553ad948cb5db7b89950f7c5251ada5d7 -re2231bbf9bfe3cc5543908b808bbc60fe914a258
--- lams_tool_scratchie/src/java/org/lamsfoundation/lams/tool/scratchie/web/controller/AuthoringController.java	(.../AuthoringController.java)	(revision 845b503553ad948cb5db7b89950f7c5251ada5d7)
+++ lams_tool_scratchie/src/java/org/lamsfoundation/lams/tool/scratchie/web/controller/AuthoringController.java	(.../AuthoringController.java)	(revision e2231bbf9bfe3cc5543908b808bbc60fe914a258)
@@ -580,7 +580,7 @@
      * @param response
      * @return
      */
-    @RequestMapping("/removeItem")
+    @RequestMapping(path = "/removeItem", method = RequestMethod.POST)
     private String removeItem(HttpServletRequest request) {
 
 	String sessionMapID = WebUtil.readStrParam(request, ScratchieConstants.ATTR_SESSION_MAP_ID);
Index: lams_tool_scratchie/web/pages/authoring/basic.jsp
===================================================================
diff -u -r60b108064c4a844e3f153a849ab51a14bc3a8488 -re2231bbf9bfe3cc5543908b808bbc60fe914a258
--- lams_tool_scratchie/web/pages/authoring/basic.jsp	(.../basic.jsp)	(revision 60b108064c4a844e3f153a849ab51a14bc3a8488)
+++ lams_tool_scratchie/web/pages/authoring/basic.jsp	(.../basic.jsp)	(revision e2231bbf9bfe3cc5543908b808bbc60fe914a258)
@@ -13,7 +13,7 @@
 		var	deletionConfirmed = confirm("<fmt:message key="warning.msg.authoring.do.you.want.to.delete"></fmt:message>");
 		
 		if (deletionConfirmed) {
-			var url = "<c:url value="/authoring/removeItem.do"/>";
+			var url = "<c:url value="/authoring/removeItem.do"/>?<csrf:token/>";
 			$(itemTargetDiv).load(
 				url,
 				{
@@ -122,4 +122,4 @@
 </div>
 
 <!-- For exporting QTI packages -->
-<iframe id="downloadFileDummyIframe" style="display: none;"></iframe>
\ No newline at end of file
+<iframe id="downloadFileDummyIframe" style="display: none;"></iframe>
Index: lams_tool_scratchie/web/pages/authoring/parts/additem.jsp
===================================================================
diff -u -r890305c632aa5ff57b2d4c567ba5278d073071fe -re2231bbf9bfe3cc5543908b808bbc60fe914a258
--- lams_tool_scratchie/web/pages/authoring/parts/additem.jsp	(.../additem.jsp)	(revision 890305c632aa5ff57b2d4c567ba5278d073071fe)
+++ lams_tool_scratchie/web/pages/authoring/parts/additem.jsp	(.../additem.jsp)	(revision e2231bbf9bfe3cc5543908b808bbc60fe914a258)
@@ -221,6 +221,7 @@
 			<lams:errors/>
 			
 			<form:form action="/lams/tool/lascrt11/authoring/saveItem.do" method="post" modelAttribute="scratchieItemForm" id="scratchieItemForm">
+				<input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue/>"/>
 				<form:hidden path="sessionMapID" />
 				<input type="hidden" name="answerList" id="answerList" />
 				<form:hidden path="itemIndex" />