diff --git a/htdocs/admin/const.php b/htdocs/admin/const.php
index 72fb1ebc09b..f8b5c41738c 100644
--- a/htdocs/admin/const.php
+++ b/htdocs/admin/const.php
@@ -30,10 +30,6 @@ require_once(DOL_DOCUMENT_ROOT."/lib/admin.lib.php");
 
 $langs->load("admin");
 
-//Todo: protection faille CSRF !!!
-if (! empty($_SERVER['HTTP_REFERER']) && !eregi(DOL_MAIN_URL_ROOT, $_SERVER['HTTP_REFERER']))
-accessforbidden();
-
 if (!$user->admin)
 accessforbidden();
 
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index a26a7b79cf5..8c37fd649ca 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -122,6 +122,10 @@ set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs');
 // This include will set: $conf, $langs and $mysoc objects
 require_once("master.inc.php");
 
+// Protection faille CSRF !!!
+if (! empty($_SERVER['HTTP_REFERER']) && !eregi(DOL_MAIN_URL_ROOT, $_SERVER['HTTP_REFERER']))
+accessforbidden();
+
 // Check if HTTPS
 if ($conf->file->main_force_https)
 {