diff --git a/app/Resources/static/themes/material/css/cards.scss b/app/Resources/static/themes/material/css/cards.scss
index 830897b24..0330da5d9 100644
--- a/app/Resources/static/themes/material/css/cards.scss
+++ b/app/Resources/static/themes/material/css/cards.scss
@@ -177,6 +177,7 @@ a.original:not(.waves-effect) {
 .card-entry-tags a,
 .card-entry-labels a,
 .card-tag-labels a,
+.card-tag-labels button,
 .card-entry-labels-hidden a,
 #list .chip a {
   text-decoration: none;
diff --git a/src/Wallabag/CoreBundle/Controller/TagController.php b/src/Wallabag/CoreBundle/Controller/TagController.php
index 31b059546..9b7a189bf 100644
--- a/src/Wallabag/CoreBundle/Controller/TagController.php
+++ b/src/Wallabag/CoreBundle/Controller/TagController.php
@@ -272,13 +272,17 @@ class TagController extends AbstractController
     /**
      * Delete a given tag for the current user.
      *
-     * @Route("/tag/delete/{slug}", name="tag_delete")
+     * @Route("/tag/delete/{slug}", name="tag_delete", methods={"POST"})
      * @ParamConverter("tag", options={"mapping": {"slug": "slug"}})
      *
      * @return Response
      */
     public function removeTagAction(Tag $tag, Request $request, EntryRepository $entryRepository)
     {
+        if (!$this->isCsrfTokenValid('tag-delete', $request->request->get('token'))) {
+            throw new BadRequestHttpException('Bad CSRF token.');
+        }
+
         foreach ($tag->getEntriesByUserId($this->getUser()->getId()) as $entry) {
             $entryRepository->removeTag($this->getUser()->getId(), $tag);
         }
diff --git a/src/Wallabag/CoreBundle/Resources/views/Tag/tags.html.twig b/src/Wallabag/CoreBundle/Resources/views/Tag/tags.html.twig
index bff22436e..361947762 100644
--- a/src/Wallabag/CoreBundle/Resources/views/Tag/tags.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/Tag/tags.html.twig
@@ -28,9 +28,13 @@
                         <i class="material-icons">mode_edit</i>
                     </a>
                     {% endif %}
-                    <a id="delete-{{ tag.slug }}" href="{{ path('tag_delete', {'slug': tag.slug, redirect: current_path}) }}" class="card-tag-icon card-tag-delete" onclick="return confirm('{{ 'tag.confirm.delete'|trans({'%name%': tag.label})|escape('js') }}')">
-                        <i class="material-icons">delete</i>
-                    </a>
+                    <form action="{{ path('tag_delete', {'slug': tag.slug, redirect: current_path}) }}" method="post" class="inline-block">
+                        <input type="hidden" name="token" value="{{ csrf_token('tag-delete') }}"/>
+
+                        <button type="submit" class="btn-link card-tag-icon card-tag-delete" onclick="return confirm('{{ 'tag.confirm.delete'|trans({'%name%': tag.label})|escape('js') }}')">
+                            <i class="material-icons">delete</i>
+                        </button>
+                    </form>
                     {% if app.user.config.feedToken %}
                         <a rel="alternate" type="application/atom+xml" href="{{ path('tag_feed', {'username': app.user.username, 'token': app.user.config.feedToken, 'slug': tag.slug}) }}" class="card-tag-icon"><i class="material-icons">rss_feed</i></a>
                     {% endif %}
diff --git a/tests/Wallabag/CoreBundle/Controller/TagControllerTest.php b/tests/Wallabag/CoreBundle/Controller/TagControllerTest.php
index 0f28c2a1a..a49656c94 100644
--- a/tests/Wallabag/CoreBundle/Controller/TagControllerTest.php
+++ b/tests/Wallabag/CoreBundle/Controller/TagControllerTest.php
@@ -168,8 +168,8 @@ class TagControllerTest extends WallabagCoreTestCase
         $this->getEntityManager()->clear();
 
         $crawler = $client->request('GET', '/tag/list');
-        $link = $crawler->filter('a[id="delete-' . $tag->getSlug() . '"]')->link();
-        $client->click($link);
+        $form = $crawler->filter('#tag-' . $tag->getId())->selectButton('delete')->form();
+        $client->submit($form);
 
         $tag = $client->getContainer()
             ->get(EntityManagerInterface::class)