diff --git a/dev/bootstrap.js b/dev/bootstrap.js
index 23045c76a..6f0afbeaa 100644
--- a/dev/bootstrap.js
+++ b/dev/bootstrap.js
@@ -60,7 +60,8 @@ export default App => {
 			postData.XToken = Settings.app('token');
 			init.body = JSON.stringify(postData);
 		}
-
+		init.headers['X-SM-Token'] = Settings.app('token');
+//		init.headers = new Headers(init.headers);
 		return fetch(resource, init);
 	};
 
diff --git a/snappymail/v/0.0.0/app/libraries/RainLoop/ServiceActions.php b/snappymail/v/0.0.0/app/libraries/RainLoop/ServiceActions.php
index 8ba58fb84..6389c2aa0 100644
--- a/snappymail/v/0.0.0/app/libraries/RainLoop/ServiceActions.php
+++ b/snappymail/v/0.0.0/app/libraries/RainLoop/ServiceActions.php
@@ -92,7 +92,13 @@ class ServiceActions
 				throw new Exceptions\ClientException(Notifications::InvalidInputArgument, null, 'Action unknown');
 			}
 
-			if ($this->oHttp->IsPost() && ($_POST['XToken'] ?? '') !== Utils::GetCsrfToken()) {
+			$xtoken = $token = Utils::GetCsrfToken();
+			if (isset($_SERVER['HTTP_X_SM_TOKEN'])) {
+				$xtoken = $_SERVER['HTTP_X_SM_TOKEN'];
+			} else if ($this->oHttp->IsPost()) {
+				$xtoken = $_POST['XToken'] ?? '';
+			}
+			if ($xtoken !== $token) {
 				throw new Exceptions\ClientException(Notifications::InvalidToken, null, 'Token mismatch');
 			}