diff --git a/README.rst b/README.rst
index e85820f..e28a3df 100644
--- a/README.rst
+++ b/README.rst
@@ -174,6 +174,8 @@ For information about how to generate the correct keys please refer to the
 
 Other settings that might be interesting:
 
+* ``SECRET_KEY``: Refer to `Flask documentation`_, section sessions: How to
+  generate good secret keys, to set the value.
 * ``PUPPETDB_TIMEOUT``: Defaults to 20 seconds but you might need to increase
   this value. It depends on how big the results are when querying PuppetDB.
   This behaviour will change in a future release when pagination will be
@@ -188,6 +190,7 @@ Other settings that might be interesting:
   a set of endpoints in PuppetDB. Change this to ``False`` to disable this.
 
 .. _pypuppetdb documentation: http://pypuppetdb.readthedocs.org/en/v0.1.0/quickstart.html#ssl
+.. _Flask documentation: http://flask.pocoo.org/docs/0.10/quickstart/#sessions
 
 Puppet Enterprise
 -----------------
diff --git a/puppetboard/app.py b/puppetboard/app.py
index 6579b1d..31f98a8 100644
--- a/puppetboard/app.py
+++ b/puppetboard/app.py
@@ -1,7 +1,6 @@
 from __future__ import unicode_literals
 from __future__ import absolute_import
 
-import os
 import logging
 import collections
 try:
@@ -15,6 +14,7 @@ from flask import (
     Response, stream_with_context, redirect,
     request
     )
+from flask_wtf.csrf import CsrfProtect
 
 from pypuppetdb import connect
 
@@ -26,11 +26,13 @@ from puppetboard.utils import (
 
 
 app = Flask(__name__)
+CsrfProtect(app)
+
 app.config.from_object('puppetboard.default_settings')
 graph_facts = app.config['GRAPH_FACTS']
 app.config.from_envvar('PUPPETBOARD_SETTINGS', silent=True)
 graph_facts += app.config['GRAPH_FACTS']
-app.secret_key = os.urandom(24)
+app.secret_key = app.config['SECRET_KEY']
 
 app.jinja_env.filters['jsonprint'] = jsonprint
 
diff --git a/puppetboard/default_settings.py b/puppetboard/default_settings.py
index d74ac3f..d4bd3eb 100644
--- a/puppetboard/default_settings.py
+++ b/puppetboard/default_settings.py
@@ -1,9 +1,12 @@
+import os
+
 PUPPETDB_HOST = 'localhost'
 PUPPETDB_PORT = 8080
 PUPPETDB_SSL_VERIFY = True
 PUPPETDB_KEY = None
 PUPPETDB_CERT = None
 PUPPETDB_TIMEOUT = 20
+SECRET_KEY = os.urandom(24)
 DEV_LISTEN_HOST = '127.0.0.1'
 DEV_LISTEN_PORT = 5000
 DEV_COFFEE_LOCATION = 'coffee'
diff --git a/puppetboard/templates/query.html b/puppetboard/templates/query.html
index 10089e5..4610779 100644
--- a/puppetboard/templates/query.html
+++ b/puppetboard/templates/query.html
@@ -4,29 +4,28 @@
 {% with messages = get_flashed_messages(with_categories=true) %}
 {% if messages %}
 {% for category, message in messages %}
-<div class="ui {{category}} message">
-  {{message}}
+<div class="ui {{ category }} message">
+  {{ message }}
 </div>
 {% endfor %}
 {% endif %}
 {% endwith %}
 <div class="ui form">
-  <form method="POST" action="{{ url_for('query')}}"
+  <form method="POST" action="{{ url_for('query') }}">
     {{ form.csrf_token }}
     <div class="field {% if form.query.errors %} error {% endif %}">
-      {{form.query(autofocus="autofocus", rows=5, placeholder="Enter your query: [\"=\", \"name\", \"hostname\"]. You may omit the opening and closing bracket.")}}
+      {{ form.query(autofocus="autofocus", rows=5, placeholder="Enter your query: [\"=\", \"name\", \"hostname\"]. You may omit the opening and closing bracket.") }}
     </div>
     <div class="inline fields">
       {% for subfield in form.endpoints %}
       <div class="field">
         <div class="ui radio checkbox">
-          {{subfield }}
-          {{subfield.label}}
+          {{ subfield }}
+          {{ subfield.label }}
         </div>
       </div>
       {% endfor %}
     </div>
-    {{ form.hidden_tag() }}
     <input type=submit class="ui submit button" value='Submit'>
     <input type=reset class="ui red submit button" value='Cancel'>
   </form>
@@ -36,7 +35,7 @@
 <div class="row">
   <div class="span12">
     <h2>Result</h2>
-      <pre><code>{{result|jsonprint}}</code></pre>
+      <pre><code>{{ result|jsonprint }}</code></pre>
   </div>
 </div>
 {% endif %}