diff --git a/administrator/controller.php b/administrator/controller.php
index 0ab83775..f0c531de 100755
--- a/administrator/controller.php
+++ b/administrator/controller.php
@@ -70,6 +70,7 @@ public function display($cachable = false, $urlparams = false)
 	 */
 	public function getMediaFile()
 	{
+		(JSession::checkToken() or JSession::checkToken('get')) or jexit(JText::_('JINVALID_TOKEN'));
 		JLoader::import("/techjoomla/media/storage/local", JPATH_LIBRARIES);
 		$app = Factory::getApplication();
 		$jinput = $app->input;
diff --git a/site/controller.php b/site/controller.php
index 6c3429c1..f8935c50 100644
--- a/site/controller.php
+++ b/site/controller.php
@@ -53,6 +53,7 @@ public function __construct()
 	 */
 	public function getMediaFile()
 	{
+		(JSession::checkToken() or JSession::checkToken('get')) or jexit(JText::_('JINVALID_TOKEN'));
 		JLoader::import("/techjoomla/media/storage/local", JPATH_LIBRARIES);
 		$app = Factory::getApplication();
 		$jinput = $app->input;
diff --git a/site/helpers/tjfields.php b/site/helpers/tjfields.php
index b82e5043..472796a8 100644
--- a/site/helpers/tjfields.php
+++ b/site/helpers/tjfields.php
@@ -1927,7 +1927,10 @@ public function getMediaUrl($fileName, $extraUrlParamsArray = '')
 			// Here, fpht means file encoded path
 			$encodedFileName = base64_encode($fileName);
 			$basePathLink = 'index.php?option=com_tjfields&task=getMediaFile&fpht=';
-			$mediaURLlink = Uri::base() . substr(Route::_($basePathLink . $encodedFileName . $extraUrlParams), strlen(Uri::base(true)) + 1);
+			$mediaURL = Uri::base() . substr(Route::_($basePathLink . $encodedFileName . $extraUrlParams), strlen(Uri::base(true)) + 1);
+
+			$csrf = JSession::getFormToken() . '=1';
+			$mediaURLlink = $mediaURL . '&' . $csrf;
 
 			return $mediaURLlink;
 		}