diff --git a/src/Module/Admin/PhpInfo.php b/src/Module/Admin/PhpInfo.php
index ed760d226c..79162ebd36 100644
--- a/src/Module/Admin/PhpInfo.php
+++ b/src/Module/Admin/PhpInfo.php
@@ -30,6 +30,8 @@ class PhpInfo extends BaseAdmin
 	{
 		self::checkAdminAccess();
 
+		self::checkFormSecurityTokenForbiddenOnError('phpinfo', 't');
+
 		phpinfo();
 		System::exit();
 	}
diff --git a/src/Module/BaseAdmin.php b/src/Module/BaseAdmin.php
index 0a5f5fa4c8..bdcead545f 100644
--- a/src/Module/BaseAdmin.php
+++ b/src/Module/BaseAdmin.php
@@ -104,7 +104,7 @@ abstract class BaseAdmin extends BaseModule
 				'logsview'     => ['admin/logs/view'    , DI::l10n()->t('View Logs')              , 'viewlogs'],
 			]],
 			'diagnostics' => [DI::l10n()->t('Diagnostics'), [
-				'phpinfo'      => ['admin/phpinfo'           , DI::l10n()->t('PHP Info')          , 'phpinfo'],
+				'phpinfo'      => ['admin/phpinfo?t=' . self::getFormSecurityToken('phpinfo'), DI::l10n()->t('PHP Info')                , 'phpinfo'],
 				'probe'        => ['probe'             , DI::l10n()->t('probe address')           , 'probe'],
 				'webfinger'    => ['webfinger'         , DI::l10n()->t('check webfinger')         , 'webfinger'],
 				'babel'        => ['babel'             , DI::l10n()->t('Babel')                   , 'babel'],