diff --git a/app/controllers/todos_controller.rb b/app/controllers/todos_controller.rb
index a8d53c73..880c0de7 100644
--- a/app/controllers/todos_controller.rb
+++ b/app/controllers/todos_controller.rb
@@ -11,8 +11,6 @@ class TodosController < ApplicationController
     :completed_archive, :check_deferred, :toggle_check, :toggle_star,
     :edit, :update, :defer, :create, :calendar, :auto_complete_for_predecessor, :remove_predecessor, :add_predecessor]
 
-  protect_from_forgery :except => [:auto_complete_for_predecessor]
-
   def index
     @projects = current_user.projects.find(:all, :include => [:default_context])
     @contexts = current_user.contexts.find(:all)
diff --git a/app/views/layouts/standard.html.erb b/app/views/layouts/standard.html.erb
index dccd68b9..c4de7bc0 100644
--- a/app/views/layouts/standard.html.erb
+++ b/app/views/layouts/standard.html.erb
@@ -14,6 +14,7 @@
     <%= javascript_tag "var AUTH_TOKEN = #{form_authenticity_token.inspect};" if protect_against_forgery? %>
     <%= javascript_tag "var SOURCE_VIEW = '#{@source_view}';" %>
     <%= javascript_tag "var TAG_NAME = '#{@tag_name}';" if @tag_name %>
+    <%= csrf_meta_tag %>
     <script type="text/javascript">
       var defaultContexts = <%= default_contexts_for_autocomplete rescue '{}' %>;
       var defaultTags = <%= default_tags_for_autocomplete rescue '{}' %>;
diff --git a/config/initializers/mongrel_workaround.rb b/config/initializers/mongrel_workaround.rb
index c826acb6..fcf11e71 100644
--- a/config/initializers/mongrel_workaround.rb
+++ b/config/initializers/mongrel_workaround.rb
@@ -1,6 +1,6 @@
 # adapted from https://gist.github.com/471663 and https://rails.lighthouseapp.com/projects/8994/tickets/4690-mongrel-doesnt-work-with-rails-238
 
-if Rails.version == '2.3.10' && Gem.available?('mongrel', '~>1.1.5') && self.class.const_defined?(:Mongrel)
+if Rails.version == '2.3.11' && Gem.available?('mongrel', '~>1.1.5') && self.class.const_defined?(:Mongrel)
 
   # Pulled right from latest rack. Old looked like this in 1.1.0 version.
   #
diff --git a/public/javascripts/application.js b/public/javascripts/application.js
index 0bb4d1a1..bdbc6e79 100644
--- a/public/javascripts/application.js
+++ b/public/javascripts/application.js
@@ -847,6 +847,7 @@ $(document).ajaxSend(function(event, request, settings) {
         }
         request.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
     }
+    request.setRequestHeader("X-CSRF-Token", $('meta[name=csrf-token]').attr('content'));
     request.setRequestHeader("Accept", "text/javascript");
 });