diff --git a/lib/Controller/OtherController.php b/lib/Controller/OtherController.php
index d7ab42ac..69df376b 100644
--- a/lib/Controller/OtherController.php
+++ b/lib/Controller/OtherController.php
@@ -107,12 +107,15 @@ class OtherController extends GenericApiController
      * @AdminRequired
      *
      * @NoCSRFRequired
+     *
+     * @UseSession
      */
     public function getSystemStatus(): Http\Response
     {
         return Util::guardEx(function () {
             $config = \OC::$server->get(\OCP\IConfig::class);
             $index = \OC::$server->get(\OCA\Memories\Service\Index::class);
+            $session = \OC::$server->get(\OCP\ISession::class);
 
             // Build status array
             $status = [];
@@ -184,15 +187,27 @@ class OtherController extends GenericApiController
                 $status['vaapi_dev'] = 'ok';
             }
 
+            // Action token
+            $status['action_token'] = $this->actionToken(true);
+
             return new JSONResponse($status, Http::STATUS_OK);
         });
     }
 
     /**
      * @AdminRequired
+     *
+     * @UseSession
      */
-    public function placesSetup(): Http\Response
+    public function placesSetup(?string $actiontoken): Http\Response
     {
+        if (!$actiontoken || $this->actionToken() !== $actiontoken) {
+            return new JSONResponse(['error' => 'Invalid action token. Refresh the memories admin page.'], Http::STATUS_BAD_REQUEST);
+        }
+
+        // Reset action token
+        $this->actionToken(true);
+
         try {
             // Set PHP timeout to infinite
             set_time_limit(0);
@@ -248,4 +263,17 @@ class OtherController extends GenericApiController
 
         return 'ok';
     }
+
+    private function actionToken(bool $set = false): string
+    {
+        $session = \OC::$server->get(\OCP\ISession::class);
+        if (!$set) {
+            return $session->get('memories_action_token');
+        }
+
+        $token = bin2hex(random_bytes(32));
+        $session->set('memories_action_token', $token);
+
+        return $token ?? '';
+    }
 }
diff --git a/src/Admin.vue b/src/Admin.vue
index 7e60058f..c8e4ea77 100644
--- a/src/Admin.vue
+++ b/src/Admin.vue
@@ -248,6 +248,7 @@
       target="_blank"
     >
       <input name="requesttoken" type="hidden" :value="requestToken" />
+      <input name="actiontoken" type="hidden" :value="actionToken" />
       <NcButton nativeType="submit" type="warning">
         {{ t("memories", "Download planet database") }}
       </NcButton>
@@ -584,6 +585,8 @@ type IStatus = {
   ffprobe: BinaryStatus;
   govod: BinaryStatus;
   vaapi_dev: "ok" | "not_found" | "not_readable";
+
+  action_token: string;
 };
 
 export default defineComponent({
@@ -775,6 +778,10 @@ export default defineComponent({
       return (<any>axios.defaults.headers).requesttoken;
     },
 
+    actionToken() {
+      return this.status?.action_token || "";
+    },
+
     gisStatus() {
       if (typeof this.status.gis_type !== "number") {
         return this.status.gis_type;