diff --git a/src/usr/local/www/pkg.php b/src/usr/local/www/pkg.php
index 0c8ade54fd..307f18461b 100644
--- a/src/usr/local/www/pkg.php
+++ b/src/usr/local/www/pkg.php
@@ -94,13 +94,13 @@ $config_path = sprintf('installedpackages/%s/config', xml_safe_fieldname($pkg['n
 
 $evaledvar = config_get_path($config_path, []);
 
-if ($_REQUEST['act'] == "update") {
+if ($_POST['act'] == "update") {
 
-	if (is_array($config['installedpackages'][$pkg['name']]) && $pkg['name'] != "" && $_REQUEST['ids'] !="") {
+	if (is_array($config['installedpackages'][$pkg['name']]) && $pkg['name'] != "" && $_POST['ids'] !="") {
 		// get current values
 		$current_values=config_get_path("installedpackages/{$pkg['name']}/config");
 		// get updated ids
-		parse_str($_REQUEST['ids'], $update_list);
+		parse_str($_POST['ids'], $update_list);
 		// sort ids to know what to change
 		// useful to do not lose data when using sorting and paging
 		$sort_list=$update_list['ids'];
@@ -271,7 +271,7 @@ function save_changes_to_xml(xml) {
 	var strloading="<?=gettext('Saving changes...')?>";
 	if (confirm("<?=gettext("Confirmation Required to save changes.")?>")) {
 		$.ajax({
-			type: 'get',
+			type: 'post',
 			cache: false,
 			url: "<?=$_SERVER['SCRIPT_NAME']?>",
 			data: {xml:'<?=$xml?>', act:'update', ids: ids},
diff --git a/src/usr/local/www/services_captiveportal_vouchers.php b/src/usr/local/www/services_captiveportal_vouchers.php
index 3b6561217a..aadfaaaec7 100644
--- a/src/usr/local/www/services_captiveportal_vouchers.php
+++ b/src/usr/local/www/services_captiveportal_vouchers.php
@@ -42,7 +42,7 @@ require_once("voucher.inc");
 
 $cpzone = strtolower(htmlspecialchars($_REQUEST['zone']));
 
-if ($_REQUEST['generatekey']) {
+if ($_POST['generatekey']) {
 	include_once("phpseclib/Math/BigInteger.php");
 	include_once("phpseclib/Crypt/Hash.php");
 	include_once("phpseclib/Crypt/RSA.php");
@@ -477,8 +477,11 @@ events.push(function() {
 	var generateButton = $('<a class="btn btn-xs btn-warning"><i class="fa fa-refresh icon-embed-btn"></i><?=gettext("Generate new keys");?></a>');
 	generateButton.on('click', function() {
 		$.ajax({
-			type: 'get',
-			url: 'services_captiveportal_vouchers.php?generatekey=true',
+			type: 'post',
+			url: 'services_captiveportal_vouchers.php',
+			data: {
+				generatekey:           true,
+			},
 			dataType: 'json',
 			success: function(data) {
 				$('#publickey').val(data.public.replace(/\\n/g, '\n'));
diff --git a/src/usr/local/www/status_graph.php b/src/usr/local/www/status_graph.php
index 4d3b37f035..c9c95f7a13 100644
--- a/src/usr/local/www/status_graph.php
+++ b/src/usr/local/www/status_graph.php
@@ -294,7 +294,7 @@ function updateBandwidth() {
 	$.ajax(
 		'/bandwidth_by_ip.php',
 		{
-			type: 'get',
+			type: 'post',
 			data: $(document.forms[0]).serialize(),
 			success: function (data) {
 				var hosts_split = data.split("|");
diff --git a/src/usr/local/www/status_openvpn.php b/src/usr/local/www/status_openvpn.php
index f3edc5853c..e49c43474b 100644
--- a/src/usr/local/www/status_openvpn.php
+++ b/src/usr/local/www/status_openvpn.php
@@ -38,11 +38,11 @@ require_once("shortcuts.inc");
 require_once("service-utils.inc");
 
 /* Handle AJAX */
-if ($_REQUEST['action']) {
-	if ($_REQUEST['action'] == "kill") {
-		$port  = $_REQUEST['port'];
-		$remipp  = $_REQUEST['remipp'];
-		$client_id  = $_REQUEST['client_id'];
+if ($_POST['action']) {
+	if ($_POST['action'] == "kill") {
+		$port  = $_POST['port'];
+		$remipp  = $_POST['remipp'];
+		$client_id  = $_POST['client_id'];
 		if (!empty($port) and !empty($remipp)) {
 			$retval = openvpn_kill_client($port, $remipp, $client_id);
 			echo htmlentities("|{$port}|{$remipp}|{$retval}|");
@@ -83,9 +83,17 @@ include("head.inc"); ?>
 		$('img[name="i:' + mport + ":" + remipp + '"]').each(busy);
 
 		$.ajax(
-			"<?=$_SERVER['SCRIPT_NAME'];?>" +
-				"?action=kill&port=" + mport + "&remipp=" + remipp + "&client_id=" + client_id,
-			{ type: "get", complete: killComplete }
+			"<?=$_SERVER['SCRIPT_NAME'];?>",
+			{
+				type: "post",
+				data: {
+					action:           "kill",
+					port:		  mport,
+					remipp:		  remipp,
+					client_id:	  client_id
+				},
+				complete: killComplete
+			}
 		);
 	}
 
diff --git a/src/usr/local/www/vpn_ipsec_phase1.php b/src/usr/local/www/vpn_ipsec_phase1.php
index c2e341f855..f3e76996cc 100644
--- a/src/usr/local/www/vpn_ipsec_phase1.php
+++ b/src/usr/local/www/vpn_ipsec_phase1.php
@@ -40,7 +40,7 @@ require_once("ipsec.inc");
 require_once("vpn.inc");
 require_once("filter.inc");
 
-if ($_REQUEST['generatekey']) {
+if ($_POST['generatekey']) {
 	$keyoutput = "";
 	$keystatus = "";
 	exec("/bin/dd status=none if=/dev/random bs=4096 count=1 | /usr/bin/openssl sha224 | /usr/bin/cut -f2 -d' '", $keyoutput, $keystatus);
@@ -1485,8 +1485,11 @@ foreach($pconfig['encryption']['item'] as $key => $p1enc) {
 	var generateButton = $('<a class="btn btn-xs btn-warning"><i class="fa fa-refresh icon-embed-btn"></i><?=gettext("Generate new Pre-Shared Key");?></a>');
 	generateButton.on('click', function() {
 		$.ajax({
-			type: 'get',
-			url: 'vpn_ipsec_phase1.php?generatekey=true',
+			type: 'post',
+			url: 'vpn_ipsec_phase1.php',
+			data: {
+				generatekey:           true,
+			},
 			dataType: 'json',
 			success: function(data) {
 				$('#pskey').val(data.pskey.replace(/\\n/g, '\n'));
diff --git a/src/usr/local/www/widgets/widgets/gmirror_status.widget.php b/src/usr/local/www/widgets/widgets/gmirror_status.widget.php
index 5a5b504d9d..cda6a2d546 100644
--- a/src/usr/local/www/widgets/widgets/gmirror_status.widget.php
+++ b/src/usr/local/www/widgets/widgets/gmirror_status.widget.php
@@ -38,8 +38,10 @@ require_once("gmirror.inc");
 //<![CDATA[
 function gmirrorStatusUpdateFromServer() {
 	$.ajax({
-		type: 'get',
+		type: 'post',
 		url: '/widgets/widgets/gmirror_status.widget.php',
+		// Need to send some dummy value or else the CSRF token will not be sent either.
+		data: { dummyvalue: true },
 		dataType: 'html',
 		dataFilter: function(raw){
 			// We reload the entire widget, strip this block of javascript from it
diff --git a/src/usr/local/www/widgets/widgets/openvpn.widget.php b/src/usr/local/www/widgets/widgets/openvpn.widget.php
index 988f9554fc..9511ea94b4 100644
--- a/src/usr/local/www/widgets/widgets/openvpn.widget.php
+++ b/src/usr/local/www/widgets/widgets/openvpn.widget.php
@@ -283,11 +283,11 @@ if (!function_exists('printPanel')) {
 }
 
 /* Handle AJAX */
-if ($_GET['action']) {
-	if ($_GET['action'] == "kill") {
-		$port = $_GET['port'];
-		$remipp = $_GET['remipp'];
-		$client_id  = $_GET['client_id'];
+if ($_POST['action']) {
+	if ($_POST['action'] == "kill") {
+		$port = $_POST['port'];
+		$remipp = $_POST['remipp'];
+		$client_id  = $_POST['client_id'];
 		if (!empty($port) and !empty($remipp)) {
 			$retval = openvpn_kill_client($port, $remipp, $client_id);
 			echo htmlentities("|{$port}|{$remipp}|{$retval}|");
@@ -409,9 +409,17 @@ $widgetkey_nodash = str_replace("-", "", $widgetkey);
 	function killClient(mport, remipp, client_id) {
 
 		$.ajax(
-			"widgets/widgets/openvpn.widget.php" +
-				"?action=kill&port=" + mport + "&remipp=" + remipp + "&client_id=" + client_id,
-			{ type: "get", complete: killComplete }
+			"widgets/widgets/openvpn.widget.php",
+			{
+				type: "post",
+				data: {
+					action:           "kill",
+					port:             mport,
+					remipp:           remipp,
+					client_id:        client_id
+				},
+				complete: killComplete
+			}
 		);
 	}