diff --git a/htdocs/filefunc.inc.php b/htdocs/filefunc.inc.php
index fd2afa56fd1..e78d9e48508 100644
--- a/htdocs/filefunc.inc.php
+++ b/htdocs/filefunc.inc.php
@@ -151,13 +151,23 @@ if (empty($dolibarr_strict_mode)) $dolibarr_strict_mode=0; // For debug in php s
 // Note about $_SERVER[HTTP_HOST/SERVER_NAME]: http://shiflett.org/blog/2006/mar/server-name-versus-http-host
 if (! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck))
 {
-    if (! empty($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] != 'GET' && ! empty($_SERVER['HTTP_HOST'])
-    && (empty($_SERVER['HTTP_REFERER']) || ! preg_match('/'.preg_quote($_SERVER['HTTP_HOST'],'/').'/i', $_SERVER['HTTP_REFERER'])))
+	if (! empty($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] != 'GET' && ! empty($_SERVER['HTTP_HOST']))
     {
-    	//print 'NOCSRFCHECK='.defined('NOCSRFCHECK').' REQUEST_METHOD='.$_SERVER['REQUEST_METHOD'].' HTTP_POST='.$_SERVER['HTTP_HOST'].' HTTP_REFERER='.$_SERVER['HTTP_REFERER'];
-    	print "Access refused by CSRF protection in main.inc.php. Referer of form is outside server that serve the POST.\n";
-        print "If you access your server behind a proxy using url rewriting, you might check that all HTTP header is propagated (or add the line \$dolibarr_nocsrfcheck=1 into your conf.php file).\n";
-    	die;
+    	$csrfattack=false;
+    	if (empty($_SERVER['HTTP_REFERER'])) $csrfattack=true;	// An evil browser was used
+    	else
+    	{
+    		$tmpa=parse_url($_SERVER['HTTP_HOST']);
+    		$tmpb=parse_url($_SERVER['HTTP_REFERER']);
+    		if ($tmpa['host'] != $tmpb['host']) $csrfattack=true;
+    	}
+    	if ($csrfattack)
+    	{
+    		//print 'NOCSRFCHECK='.defined('NOCSRFCHECK').' REQUEST_METHOD='.$_SERVER['REQUEST_METHOD'].' HTTP_POST='.$_SERVER['HTTP_HOST'].' HTTP_REFERER='.$_SERVER['HTTP_REFERER'];
+    		print "Access refused by CSRF protection in main.inc.php. Referer of form is outside server that serve the POST.\n";
+        	print "If you access your server behind a proxy using url rewriting, you might check that all HTTP header is propagated (or add the line \$dolibarr_nocsrfcheck=1 into your conf.php file).\n";
+    		die;
+    	}
     }
     // Another test is done later on token if option MAIN_SECURITY_CSRF_WITH_TOKEN is on.
 }
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 2439a9fd6e0..d6705b7832b 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -332,7 +332,8 @@ if (! defined('NOTOKENRENEWAL'))
 	$token = dol_hash(uniqid(mt_rand(),TRUE)); // Generates a hash of a random number
 	$_SESSION['newtoken'] = $token;
 }
-if (! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && ! empty($conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN))	// Check validity of token, only if option enabled (this option breaks some features sometimes)
+if ((! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && ! empty($conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN))
+	|| defined('CSRFCHECK_WITH_TOKEN'))	// Check validity of token, only if option MAIN_SECURITY_CSRF_WITH_TOKEN enabled or if constant CSRFCHECK_WITH_TOKEN is set
 {
 	if ($_SERVER['REQUEST_METHOD'] == 'POST' && ! GETPOST('token','alpha')) // Note, offender can still send request by GET
 	{