diff --git a/src/Form/UiForm.php b/src/Form/UiForm.php
index ec817b8..afaf2a9 100644
--- a/src/Form/UiForm.php
+++ b/src/Form/UiForm.php
@@ -2,9 +2,9 @@
 
 namespace Picea\Ui\Form;
 
-use Picea\Ui\Common\UiElement;
-use Picea\Extension\Extension;
-use Picea\Extension\ExtensionTrait;
+use Picea\Ui\Common\UiElement,
+    Picea\Extension\Extension,
+    Picea\Extension\ExtensionTrait;
 
 class UiForm extends UiElement implements Extension {
     use ExtensionTrait;
@@ -23,7 +23,7 @@ class UiForm extends UiElement implements Extension {
     {
         switch($token) {
             case 'ui.endform':
-                return "</form>";
+                return ( new UiHidden() )->attributes([ 'name' =>"picea-csrf-protection", 'value' => "abcdefg" ])->render() . "</form>";
 
             case "ui.form.get":
                 $method = "get";
@@ -50,10 +50,12 @@ class UiForm extends UiElement implements Extension {
         return "<?php echo ( new \\" . static::class . "() )->buildHtml('$method', $arguments) ?>";
     }
 
+    
     public function buildHtml(string $method, string $action, array $attributes = []) : string
     {
         $this->option('tag-type', 'single');
-        $this->attributes([ 'action' => $action ] + $attributes);
+        $this->attributes([ 'method' => $method, 'action' => $action ] + $attributes);
+
         return $this->render() . PHP_EOL;
     }
-}
+}
\ No newline at end of file
diff --git a/src/Method/Form.php b/src/Method/Form.php
new file mode 100644
index 0000000..bec4435
--- /dev/null
+++ b/src/Method/Form.php
@@ -0,0 +1,72 @@
+<?php
+
+namespace Picea\Ui\Method;
+
+use Picea\Extension\Extension,
+    Picea\Extension\ExtensionTrait;
+
+use Picea\Compiler\Context;
+
+use Psr\Http\Message\ServerRequestInterface;
+
+class Form implements Extension {
+    use ExtensionTrait;
+
+    public array $tokens;
+
+    public string $token;
+
+    public function __construct(Context $context) {
+        $this->register($context);
+    }
+
+    public function parse(/*\Picae\Compiler\Context*/ &$context, ?string $arguments, string $token) : string { }
+
+    public function register(Context $context) : void
+    {
+        $context->pushFunction("form", [ $this, 'formClass' ]);
+    }
+
+    public function form_csrf(string $field, string $value) {
+        $values = $this->session("View.form.csrf.$field") ?: [];
+
+        # keeps 20 (from config) latest CSRF key for this form into session,
+        # allowing more than one tab opened and preventing information loss
+        if ( count($values) >= 20 ) {
+            #array_shift($values);
+        }
+
+        $values[] = $value;
+
+        $this->session("View.form.csrf.$field", $values);
+
+        return $value;
+    }
+
+    public function formClass(ServerRequestInterface $request) {
+        return new class($request) {
+
+            public bool $sent = false;
+
+            protected ServerRequestInterface $request;
+
+            public function __construct(ServerRequestInterface $request)
+            {
+                $this->request = $request;
+                $this->sent = $this->requestSent();
+            }
+
+            protected function requestSent() : bool
+            {
+                return in_array($this->request->getMethod(), [
+                    "DELETE", "PATCH", "POST", "PUT",
+                ]);
+            }
+
+            protected function honeyPot() : bool
+            {
+                $this->request->getServerParams();
+            }
+        };
+    }
+}