diff --git a/public/comments.php b/public/comments.php
index a550836..93a480d 100644
--- a/public/comments.php
+++ b/public/comments.php
@@ -42,7 +42,6 @@ if($currentUserInfo->isSilenced()) {
     return;
 }
 
-header(CSRF::header());
 $commentPerms = $currentUserInfo->commentPerms();
 
 $commentId   = (int)filter_input(INPUT_GET, 'c', FILTER_SANITIZE_NUMBER_INT);
diff --git a/public/forum/topic.php b/public/forum/topic.php
index 88b4322..962d636 100644
--- a/public/forum/topic.php
+++ b/public/forum/topic.php
@@ -81,8 +81,6 @@ if(in_array($moderationMode, $validModerationModes, true)) {
         return;
     }
 
-    header(CSRF::header());
-
     if(!UserSession::hasCurrent()) {
         echo render_info('You must be logged in to manage posts.', 401);
         return;
diff --git a/src/CSRF.php b/src/CSRF.php
index beb15de..95b2706 100644
--- a/src/CSRF.php
+++ b/src/CSRF.php
@@ -42,20 +42,12 @@ final class CSRF {
     }
 
     // Should be replaced by filters eventually <
-    public static function header(...$args): string {
-        return 'X-Misuzu-CSRF: ' . self::token(...$args);
-    }
     public static function validateRequest($identity = null, ?string $secretKey = null): bool {
-        if(isset($_SERVER['HTTP_X_MISUZU_CSRF'])) {
-            $token = $_SERVER['HTTP_X_MISUZU_CSRF'];
-        } elseif(isset($_REQUEST['_csrf']) && is_string($_REQUEST['_csrf'])) { // Change this to $_POST later, it should never appear in urls
-            $token = $_REQUEST['_csrf'];
-        } elseif(isset($_REQUEST['csrf']) && is_string($_REQUEST['csrf'])) {
-            $token = $_REQUEST['csrf'];
-        } else {
+        $token = filter_input(INPUT_POST, '_csrf');
+        if(empty($token))
+            $token = filter_input(INPUT_GET, 'csrf');
+        if(empty($token))
             return false;
-        }
-
         return self::validate($token, $identity, $secretKey);
     }
     // >
diff --git a/src/url.php b/src/url.php
index 16ecf9e..e09e0fc 100644
--- a/src/url.php
+++ b/src/url.php
@@ -128,21 +128,18 @@ define('MSZ_URLS', [
 ]);
 
 function url(string $name, array $variables = []): string {
-    if(!array_key_exists($name, MSZ_URLS)) {
+    if(!array_key_exists($name, MSZ_URLS))
         return '';
-    }
 
     $info = MSZ_URLS[$name];
 
-    if(!isset($info[0]) || !is_string($info[0])) {
+    if(!isset($info[0]) || !is_string($info[0]))
         return '';
-    }
 
     $splitUrl = explode('/', $info[0]);
 
-    for($i = 0; $i < count($splitUrl); $i++) {
+    for($i = 0; $i < count($splitUrl); $i++)
         $splitUrl[$i] = url_variable($splitUrl[$i], $variables);
-    }
 
     $url = implode('/', $splitUrl);
 
@@ -161,9 +158,8 @@ function url(string $name, array $variables = []): string {
         $url = trim($url, '?&');
     }
 
-    if(!empty($info[2]) && is_string($info[2])) {
+    if(!empty($info[2]) && is_string($info[2]))
         $url .= rtrim(sprintf('#%s', url_variable($info[2], $variables)), '#');
-    }
 
     return $url;
 }
@@ -181,7 +177,7 @@ function url_variable(string $value, array $variables): string {
         return $variables[trim($value, '<>')] ?? '';
 
     if(str_starts_with($value, '[') && str_ends_with($value, ']'))
-        return constant(trim($value, '[]'));
+        return '';
 
     if(str_starts_with($value, '{') && str_ends_with($value, '}'))
         return \Misuzu\CSRF::token();