diff --git a/app/assets/javascripts/discourse/public/assets/scripts/discourse-boot.js b/app/assets/javascripts/discourse/public/assets/scripts/discourse-boot.js
index d0120c8ea09..9c9c4d0200e 100644
--- a/app/assets/javascripts/discourse/public/assets/scripts/discourse-boot.js
+++ b/app/assets/javascripts/discourse/public/assets/scripts/discourse-boot.js
@@ -195,6 +195,16 @@
 
       let locale = data.bootstrap.locale_script;
 
+      if (data.bootstrap.csrf_token) {
+        const csrfParam = document.createElement("meta");
+        csrfParam.setAttribute("name", "csrf-param");
+        csrfParam.setAttribute("content", "authenticity_token");
+        head.append(csrfParam);
+        const csrfToken = document.createElement("meta");
+        csrfToken.setAttribute("name", "csrf-token");
+        csrfToken.setAttribute("content", data.bootstrap.csrf_token);
+        head.append(csrfToken);
+      }
       (data.bootstrap.stylesheets || []).forEach((s) => {
         let link = document.createElement("link");
         link.setAttribute("rel", "stylesheet");
diff --git a/app/controllers/bootstrap_controller.rb b/app/controllers/bootstrap_controller.rb
index ebd68eebe11..b0378359c5f 100644
--- a/app/controllers/bootstrap_controller.rb
+++ b/app/controllers/bootstrap_controller.rb
@@ -60,6 +60,7 @@ class BootstrapController < ApplicationController
       preloaded: @preloaded,
     }
     bootstrap[:extra_locales] = extra_locales if extra_locales.present?
+    bootstrap[:csrf_token] = form_authenticity_token if current_user
 
     render_json_dump(bootstrap: bootstrap)
   end