diff --git a/uploader.py b/uploader.py
index ed01b49..291f538 100644
--- a/uploader.py
+++ b/uploader.py
@@ -21,6 +21,7 @@ class CalibreClient:
         self._cfg = cfg
         self._session = requests.Session()
         self._authenticated = False
+        self._upload_csrf: str | None = None
 
     def _ensure_auth(self) -> None:
         if self._authenticated:
@@ -59,11 +60,16 @@ class CalibreClient:
 
         try:
             self._ensure_auth()
+            if not self._upload_csrf:
+                page = self._session.get(f"{self._cfg.url}/upload", timeout=30)
+                self._upload_csrf = _extract_csrf(page.text)
+
             mime = MIME_TYPES.get(book_path.suffix.lower(), "application/octet-stream")
             with book_path.open("rb") as fh:
                 resp = self._session.post(
                     f"{self._cfg.url}/upload",
                     files={"btn-upload": (book_path.name, fh, mime)},
+                    data={"csrf_token": self._upload_csrf} if self._upload_csrf else {},
                     timeout=120,
                 )
             resp.raise_for_status()