diff --git a/src/applications/auth/controller/PhabricatorAuthLinkController.php b/src/applications/auth/controller/PhabricatorAuthLinkController.php
--- a/src/applications/auth/controller/PhabricatorAuthLinkController.php
+++ b/src/applications/auth/controller/PhabricatorAuthLinkController.php
@@ -83,6 +83,11 @@
 
     switch ($this->action) {
       case 'link':
+        id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
+          $viewer,
+          $request,
+          $panel_uri);
+
         $form = $provider->buildLinkForm($this);
         break;
       case 'refresh':
diff --git a/src/applications/conduit/controller/PhabricatorConduitTokenController.php b/src/applications/conduit/controller/PhabricatorConduitTokenController.php
--- a/src/applications/conduit/controller/PhabricatorConduitTokenController.php
+++ b/src/applications/conduit/controller/PhabricatorConduitTokenController.php
@@ -7,9 +7,13 @@
   extends PhabricatorConduitController {
 
   public function processRequest() {
-
     $user = $this->getRequest()->getUser();
 
+    id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
+      $user,
+      $this->getRequest(),
+      '/');
+
     // Ideally we'd like to verify this, but it's fine to leave it unguarded
     // for now and verifying it would need some Ajax junk or for the user to
     // click a button or similar.
diff --git a/src/applications/diffusion/panel/DiffusionSetPasswordPanel.php b/src/applications/diffusion/panel/DiffusionSetPasswordPanel.php
--- a/src/applications/diffusion/panel/DiffusionSetPasswordPanel.php
+++ b/src/applications/diffusion/panel/DiffusionSetPasswordPanel.php
@@ -26,6 +26,11 @@
     $viewer = $request->getUser();
     $user = $this->getUser();
 
+    $token = id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
+      $viewer,
+      $request,
+      '/settings/');
+
     $vcspassword = id(new PhabricatorRepositoryVCSPassword())
       ->loadOneWhere(
         'userPHID = %s',
diff --git a/src/applications/passphrase/controller/PassphraseCredentialRevealController.php b/src/applications/passphrase/controller/PassphraseCredentialRevealController.php
--- a/src/applications/passphrase/controller/PassphraseCredentialRevealController.php
+++ b/src/applications/passphrase/controller/PassphraseCredentialRevealController.php
@@ -29,6 +29,11 @@
 
     $view_uri = '/K'.$credential->getID();
 
+    $token = id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
+      $viewer,
+      $request,
+      $view_uri);
+
     if ($request->isFormPost()) {
       if ($credential->getSecret()) {
         $body = id(new PHUIFormLayoutView())
diff --git a/src/applications/people/controller/PhabricatorPeopleCreateController.php b/src/applications/people/controller/PhabricatorPeopleCreateController.php
--- a/src/applications/people/controller/PhabricatorPeopleCreateController.php
+++ b/src/applications/people/controller/PhabricatorPeopleCreateController.php
@@ -7,6 +7,11 @@
     $request = $this->getRequest();
     $admin = $request->getUser();
 
+    id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
+      $admin,
+      $request,
+      $this->getApplicationURI());
+
     $v_type = 'standard';
     if ($request->isFormPost()) {
       $v_type = $request->getStr('type');
diff --git a/src/applications/people/controller/PhabricatorPeopleEmpowerController.php b/src/applications/people/controller/PhabricatorPeopleEmpowerController.php
--- a/src/applications/people/controller/PhabricatorPeopleEmpowerController.php
+++ b/src/applications/people/controller/PhabricatorPeopleEmpowerController.php
@@ -23,6 +23,11 @@
 
     $profile_uri = '/p/'.$user->getUsername().'/';
 
+    id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
+      $admin,
+      $request,
+      $profile_uri);
+
     if ($user->getPHID() == $admin->getPHID()) {
       return $this->newDialog()
         ->setTitle(pht('Your Way is Blocked'))
diff --git a/src/applications/people/controller/PhabricatorPeopleRenameController.php b/src/applications/people/controller/PhabricatorPeopleRenameController.php
--- a/src/applications/people/controller/PhabricatorPeopleRenameController.php
+++ b/src/applications/people/controller/PhabricatorPeopleRenameController.php
@@ -23,6 +23,11 @@
 
     $profile_uri = '/p/'.$user->getUsername().'/';
 
+    id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
+      $admin,
+      $request,
+      $profile_uri);
+
     $errors = array();
 
     $v_username = $user->getUsername();
diff --git a/src/applications/settings/panel/PhabricatorSettingsPanelConduit.php b/src/applications/settings/panel/PhabricatorSettingsPanelConduit.php
--- a/src/applications/settings/panel/PhabricatorSettingsPanelConduit.php
+++ b/src/applications/settings/panel/PhabricatorSettingsPanelConduit.php
@@ -23,6 +23,11 @@
     $user = $this->getUser();
     $viewer = $request->getUser();
 
+    id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
+      $viewer,
+      $request,
+      '/settings/');
+
     if ($request->isFormPost()) {
       if (!$request->isDialogFormPost()) {
         $dialog = new AphrontDialogView();
diff --git a/src/applications/settings/panel/PhabricatorSettingsPanelEmailAddresses.php b/src/applications/settings/panel/PhabricatorSettingsPanelEmailAddresses.php
--- a/src/applications/settings/panel/PhabricatorSettingsPanelEmailAddresses.php
+++ b/src/applications/settings/panel/PhabricatorSettingsPanelEmailAddresses.php
@@ -330,6 +330,11 @@
 
     $user = $request->getUser();
 
+    $token = id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
+      $user,
+      $request,
+      $this->getPanelURI());
+
     // NOTE: You can only make your own verified addresses primary.
     $email = id(new PhabricatorUserEmail())->loadOneWhere(
       'id = %d AND userPHID = %s AND isVerified = 1 AND isPrimary = 0',
diff --git a/src/applications/settings/panel/PhabricatorSettingsPanelPassword.php b/src/applications/settings/panel/PhabricatorSettingsPanelPassword.php
--- a/src/applications/settings/panel/PhabricatorSettingsPanelPassword.php
+++ b/src/applications/settings/panel/PhabricatorSettingsPanelPassword.php
@@ -35,6 +35,11 @@
   public function processRequest(AphrontRequest $request) {
     $user = $request->getUser();
 
+    $token = id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
+      $user,
+      $request,
+      '/settings/');
+
     $min_len = PhabricatorEnv::getEnvConfig('account.minimum-password-length');
     $min_len = (int)$min_len;
 
diff --git a/src/applications/settings/panel/PhabricatorSettingsPanelSSHKeys.php b/src/applications/settings/panel/PhabricatorSettingsPanelSSHKeys.php
--- a/src/applications/settings/panel/PhabricatorSettingsPanelSSHKeys.php
+++ b/src/applications/settings/panel/PhabricatorSettingsPanelSSHKeys.php
@@ -276,6 +276,12 @@
     $user = $this->getUser();
     $viewer = $request->getUser();
 
+    $token = id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
+      $viewer,
+      $request,
+      $this->getPanelURI());
+
+
     $is_self = ($user->getPHID() == $viewer->getPHID());
 
     if ($request->isFormPost()) {