diff --git a/pom.xml b/pom.xml
index 48c007a..c96f2f9 100644
--- a/pom.xml
+++ b/pom.xml
@@ -27,6 +27,10 @@
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-web</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-devtools</artifactId>
diff --git a/src/main/java/com/openbankproject/oauth2/WebSecurityConfiguration.java b/src/main/java/com/openbankproject/oauth2/WebSecurityConfiguration.java
new file mode 100644
index 0000000..dc84c46
--- /dev/null
+++ b/src/main/java/com/openbankproject/oauth2/WebSecurityConfiguration.java
@@ -0,0 +1,18 @@
+package com.openbankproject.oauth2;
+
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
+
+@Configuration
+public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http.csrf().csrfTokenRepository(new CookieCsrfTokenRepository().withHttpOnlyFalse())
+                .requireCsrfProtectionMatcher(
+                        httpServletRequest -> !httpServletRequest.getMethod().equalsIgnoreCase("GET")
+                )
+                .and().authorizeRequests().anyRequest().permitAll();
+    }
+}
diff --git a/src/main/java/com/openbankproject/oauth2/controller/ConsentController.java b/src/main/java/com/openbankproject/oauth2/controller/ConsentController.java
index 9fba06e..aacbbb2 100644
--- a/src/main/java/com/openbankproject/oauth2/controller/ConsentController.java
+++ b/src/main/java/com/openbankproject/oauth2/controller/ConsentController.java
@@ -137,18 +137,20 @@ public class ConsentController {
                 .filter(it -> !it.equals("openid") && !it.equals("offline"))
                 .toArray(String[]::new);
         HttpHeaders headers = buildDirectLoginHeader(session);
+        String[] allAccountIds = (String[]) session.getAttribute("all_account_ids");
 
         { // process selected accounts
             AccessToViewRequest body = new AccessToViewRequest(selectedObpScopes);
             HttpEntity<AccessToViewRequest> entity = new HttpEntity<>(body, headers);
+
             for (String accountId : accountIs) {
+                if(!ArrayUtils.contains(allAccountIds, accountId)) continue;
                 String url = resetAccessViewUrl.replace("BANK_ID", bankId).replace("ACCOUNT_ID", accountId);
                 restTemplate.exchange(url, HttpMethod.PUT, entity, HashMap.class);
             }
         }
 
         { // process not selected accounts
-            String[] allAccountIds = (String[]) session.getAttribute("all_account_ids");
             String[] notSelectAccountIds = ArrayUtils.removeElements(allAccountIds, accountIs);
             AccessToViewRequest body = new AccessToViewRequest(ArrayUtils.EMPTY_STRING_ARRAY);
             HttpEntity<AccessToViewRequest> entity = new HttpEntity<>(body, headers);
diff --git a/src/main/java/com/openbankproject/oauth2/util/ControllerUtils.java b/src/main/java/com/openbankproject/oauth2/util/ControllerUtils.java
index 2d1f645..4830cac 100644
--- a/src/main/java/com/openbankproject/oauth2/util/ControllerUtils.java
+++ b/src/main/java/com/openbankproject/oauth2/util/ControllerUtils.java
@@ -5,6 +5,7 @@ import org.springframework.http.MediaType;
 
 import javax.servlet.http.HttpSession;
 
+
 public interface ControllerUtils {
 
    static HttpHeaders buildDirectLoginHeader(HttpSession session) {