diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 782f75b0190..63d1bcc6448 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -536,7 +536,7 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && getDolGlobalInt(
 	}
 
 	// Check a token is provided for all cases that need a mandatory token
-	// (all POST actions + all login, actions and mass actions on pages with CSRFCHECK_WITH_TOKEN set + all sensitive GET actions)
+	// (all POST actions + all sensitive GET actions + all mass actions + all login/actions/logout on pages with CSRFCHECK_WITH_TOKEN set)
 	if (
 		$_SERVER['REQUEST_METHOD'] == 'POST' ||
 		$sensitiveget ||
@@ -1458,6 +1458,7 @@ function top_httphead($contenttype = 'text/html', $forcenocache = 0)
 	if ($forcenocache) {
 		header("Cache-Control: no-cache, no-store, must-revalidate, max-age=0");
 	}
+	header("anti-csrf-token: ".newToken());
 }
 
 /**
diff --git a/htdocs/user/logout.php b/htdocs/user/logout.php
index 57a653a01d1..661995bb729 100644
--- a/htdocs/user/logout.php
+++ b/htdocs/user/logout.php
@@ -33,6 +33,11 @@ if (!defined('NOREQUIREHTML')) {
 if (!defined('NOREQUIREAJAX')) {
 	define('NOREQUIREAJAX', '1');
 }
+/* We do now force CSRF check so we can logout using logout.php page (required for DoliDroid for example)
+if (!defined('CSRFCHECK_WITH_TOKEN')) {
+	define('CSRFCHECK_WITH_TOKEN', '1');
+}
+*/
 //if (! defined('NOREQUIRESOC'))   define('NOREQUIRESOC','1');	// We need company to get correct logo onto home page
 if (!defined('EVEN_IF_ONLY_LOGIN_ALLOWED')) {
 	define('EVEN_IF_ONLY_LOGIN_ALLOWED', '1');