diff --git a/Admin/Routes/Web/Api.php b/Admin/Routes/Web/Api.php
index 7f48c28..eec3d04 100755
--- a/Admin/Routes/Web/Api.php
+++ b/Admin/Routes/Web/Api.php
@@ -22,6 +22,7 @@ return [
         [
             'dest'       => '\Modules\Shop\Controller\ApiController:apiOneClickBuy',
             'verb'       => RouteVerb::GET,
+            'csrf'       => true,
             'permission' => [
                 'module' => ApiController::NAME,
                 'type'   => PermissionType::CREATE,
@@ -33,6 +34,7 @@ return [
         [
             'dest'       => '\Modules\Shop\Controller\ApiController:apiItemFileDownload',
             'verb'       => RouteVerb::GET,
+            'csrf'       => true,
             'permission' => [
             ],
         ],