diff --git a/app/Config/Filters.php b/app/Config/Filters.php
index e678a07a3..6f10fde59 100644
--- a/app/Config/Filters.php
+++ b/app/Config/Filters.php
@@ -70,7 +70,7 @@ class Filters extends BaseFilters
     public array $globals = [
         'before' => [
             'honeypot',
-            // 'csrf' => ['except' => 'login'],    // TODO: Temporarily disable CSRF until we get everything sorted
+            'csrf' => ['except' => 'login'],
             'invalidchars',
         ],
         'after' => [
diff --git a/app/Config/Security.php b/app/Config/Security.php
index 79dc8f177..51aceeb74 100644
--- a/app/Config/Security.php
+++ b/app/Config/Security.php
@@ -15,7 +15,7 @@ class Security extends BaseConfig
      *
      * @var string 'cookie' or 'session'
      */
-    public string $csrfProtection = 'cookie';
+    public string $csrfProtection = 'session';
 
     /**
      * --------------------------------------------------------------------------
@@ -71,7 +71,7 @@ class Security extends BaseConfig
      *
      * Regenerate CSRF Token on every submission.
      */
-    public bool $regenerate = true;
+    public bool $regenerate = false;
 
     /**
      * --------------------------------------------------------------------------
diff --git a/app/Views/partial/header_js.php b/app/Views/partial/header_js.php
index 5e1ef8f47..5f33789ce 100644
--- a/app/Views/partial/header_js.php
+++ b/app/Views/partial/header_js.php
@@ -32,10 +32,8 @@
         }
     });
 
-    var cookie_name = "<?= esc(config('Cookie')->prefix, 'js') . esc(config('Security')->cookieName, 'js') ?>";
-
     var csrf_token = function() {
-        return Cookies.get(cookie_name);
+        return "<?= csrf_hash() ?>";
     };
 
     var csrf_form_base = function() {
diff --git a/app/Views/sales/invoice_email.php b/app/Views/sales/invoice_email.php
index b21b675ef..8480116bb 100644
--- a/app/Views/sales/invoice_email.php
+++ b/app/Views/sales/invoice_email.php
@@ -176,7 +176,7 @@
                     <span><?= nl2br($config['payment_message']) ?></span>
                     <span><?= lang('Sales.comments') . ': ' . (empty($comments) ? $config['invoice_default_comments'] : $comments) ?></span>
                 </h5>
-                <?= nl2br($config['return_policy']) ?>
+                <?= nl2br(esc($config['return_policy'])) ?>
             </div>
             <div id="barcode">
                 <img alt=<?= '$sale_id' ?> src="data:image/svg+xml;base64,<?= base64_encode($barcode) ?>"><br>
diff --git a/app/Views/sales/receipt_default.php b/app/Views/sales/receipt_default.php
index d17cf9c9a..330ef3bda 100644
--- a/app/Views/sales/receipt_default.php
+++ b/app/Views/sales/receipt_default.php
@@ -165,7 +165,7 @@
     </table>
 
     <div id="sale_return_policy">
-        <?= nl2br($config['return_policy']) ?>
+        <?= nl2br(esc($config['return_policy'])) ?>
     </div>
 
     <div id="barcode">
diff --git a/gulpfile.js b/gulpfile.js
index 7b8c146f8..e234778dc 100644
--- a/gulpfile.js
+++ b/gulpfile.js
@@ -130,7 +130,6 @@ gulp.task('debug-js', function() {
         './node_modules/chartist-plugin-axistitle/dist/chartist-plugin-axistitle.js',
         './node_modules/chartist-plugin-barlabels/dist/chartist-plugin-barlabels.js',
         './node_modules/bootstrap-notify/bootstrap-notify.js',
-        './node_modules/js-cookie/src/js.cookie.js',
         './node_modules/bootstrap-tagsinput-2021/dist/bootstrap-tagsinput.js',
         './node_modules/bootstrap-toggle/js/bootstrap-toggle.js',
         './node_modules/clipboard/dist/clipboard.js',
@@ -176,7 +175,6 @@ gulp.task('prod-js', function() {
         './node_modules/tableexport.jquery.plugin/tableExport.min.js'], { allowEmpty: true });
 
     var opensourcepos2js = gulp.src(['./node_modules/bootstrap-daterangepicker/daterangepicker.js',
-        './node_modules/js-cookie/src/js.cookie.js',
         './public/js/imgpreview.full.jquery.js',
         './public/js/manage_tables.js',
         './public/js/nominatim.autocomplete.js']).pipe(uglify());
@@ -293,7 +291,6 @@ gulp.task('build-database', function() {
 // Run all required tasks
 gulp.task('default',
     gulp.series('clean',
-        'update-licenses',
         'copy-bootswatch',
         'copy-bootswatch5',
         'copy-bootstrap',
diff --git a/package-lock.json b/package-lock.json
index 9ed4dcf39..e57b31b0c 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -38,7 +38,6 @@
                 "jquery-form": "^4.3.0",
                 "jquery-ui-dist": "^1.12.1",
                 "jquery-validation": "^1.19.5",
-                "js-cookie": "^2.2.1",
                 "jspdf": "^3.0.2",
                 "jspdf-autotable": "^5.0.2",
                 "tableexport.jquery.plugin": "^1.30.0"
@@ -3724,11 +3723,6 @@
                 "jquery": "^1.7 || ^2.0 || ^3.1"
             }
         },
-        "node_modules/js-cookie": {
-            "version": "2.2.1",
-            "resolved": "https://registry.npmjs.org/js-cookie/-/js-cookie-2.2.1.tgz",
-            "integrity": "sha512-HvdH2LzI/EAZcUwA8+0nKNtWHqS+ZmijLA30RwZA0bo7ToCckjK5MkGhjED9KoRcXO6BaGI3I9UIzSA1FKFPOQ=="
-        },
         "node_modules/json-buffer": {
             "version": "3.0.1",
             "resolved": "https://registry.npmjs.org/json-buffer/-/json-buffer-3.0.1.tgz",
diff --git a/package.json b/package.json
index b33082861..547cf3386 100644
--- a/package.json
+++ b/package.json
@@ -59,7 +59,6 @@
         "jquery-form": "^4.3.0",
         "jquery-ui-dist": "^1.12.1",
         "jquery-validation": "^1.19.5",
-        "js-cookie": "^2.2.1",
         "jspdf": "^3.0.2",
         "jspdf-autotable": "^5.0.2",
         "tableexport.jquery.plugin": "^1.30.0"