diff --git a/lib/LDV/Comments.pm b/lib/LDV/Comments.pm
index 825a2ea..7ad3881 100644
--- a/lib/LDV/Comments.pm
+++ b/lib/LDV/Comments.pm
@@ -32,10 +32,18 @@ sub add {
   my ($self) = @_;
 
   eval {
+    my $sectoken = $self->session('c_sectoken')
+      or die("missing security token\n");
+    my ($ip, $upto) = ($sectoken =~ m{^[0-9a-f\.:]+-\d+$}io)
+      or die("malformed security token\n");
+    ($upto > time())
+      or die("expired security token\n");
+    ($ip eq $self->tx->remote_address)
+      or die("remote address mismatch\n");
     my $text = $self->req->param('text')
       or die("empty comment\n");
     my $pageid = $self->_gen_pageid()
-      or die("can't get id\n");
+      or die("can't get pageid\n");
 
     my %opts = (binmode => ':bytes');
     my $comments = [];