diff --git a/Admin/Routes/Web/Api.php b/Admin/Routes/Web/Api.php
index a5f5e9a..0946640 100644
--- a/Admin/Routes/Web/Api.php
+++ b/Admin/Routes/Web/Api.php
@@ -22,6 +22,7 @@ return [
         [
             'dest'       => '\Modules\Purchase\Controller\ApiController:apiOrderSuggestionCreate',
             'verb'       => RouteVerb::PUT,
+            'csrf'       => true,
             'permission' => [
                 'module' => ApiController::NAME,
                 'type'   => PermissionType::CREATE,
@@ -31,6 +32,7 @@ return [
         [
             'dest'       => '\Modules\Purchase\Controller\ApiController:apiOrderSuggestionUpdate',
             'verb'       => RouteVerb::SET,
+            'csrf'       => true,
             'permission' => [
                 'module' => ApiController::NAME,
                 'type'   => PermissionType::MODIFY,
@@ -40,6 +42,7 @@ return [
         [
             'dest'       => '\Modules\Purchase\Controller\ApiController:apiOrderSuggestionDelete',
             'verb'       => RouteVerb::DELETE,
+            'csrf'       => true,
             'permission' => [
                 'module' => ApiController::NAME,
                 'type'   => PermissionType::MODIFY,
@@ -51,6 +54,7 @@ return [
         [
             'dest'       => '\Modules\Purchase\Controller\ApiController:apiOrderSuggestionBillCreate',
             'verb'       => RouteVerb::PUT,
+            'csrf'       => true,
             'permission' => [
                 'module' => ApiController::NAME,
                 'type'   => PermissionType::CREATE,
diff --git a/Theme/Backend/order-suggestion.tpl.php b/Theme/Backend/order-suggestion.tpl.php
index 897817e..ea26c03 100644
--- a/Theme/Backend/order-suggestion.tpl.php
+++ b/Theme/Backend/order-suggestion.tpl.php
@@ -29,7 +29,7 @@ echo $this->data['nav']->render();
             <div class="portlet-body">
                 <input type="hidden" name="id" form="suggestionList" value="<?= $this->data['suggestion']->id; ?>">
                 <input name="save" type="submit" form="suggestionList" value="<?= $this->getHtml('Save', '0', '0'); ?>">
-                <!--<input name="order" type="submit" form="suggestionList" formaction="<?= UriFactory::build('{/api}purchase/order/suggestion/bill'); ?>" formmethod="put" value="<?= $this->getHtml('Order'); ?>">-->
+                <!--<input name="order" type="submit" form="suggestionList" formaction="<?= UriFactory::build('{/api}purchase/order/suggestion/bill?csrf={$CSRF}'); ?>" formmethod="put" value="<?= $this->getHtml('Order'); ?>">-->
                 <input name="delete" class="cancel" type="submit" form="suggestionList" formmethod="delete" value="<?= $this->getHtml('Delete', '0', '0'); ?>">
             </div>
         </div>