diff --git a/app/app/api/views/alias.py b/app/app/api/views/alias.py
index 9e593f3..9385980 100644
--- a/app/app/api/views/alias.py
+++ b/app/app/api/views/alias.py
@@ -31,6 +31,7 @@ from app.models import Alias, Contact, Mailbox, AliasMailbox
 @deprecated
 @api_bp.route("/aliases", methods=["GET", "POST"])
 @require_api_auth
+@limiter.limit("10/minute", key_func=lambda: g.user.id)
 def get_aliases():
     """
     Get aliases
@@ -72,10 +73,8 @@ def get_aliases():
 
 
 @api_bp.route("/v2/aliases", methods=["GET", "POST"])
-@limiter.limit(
-    "5/minute",
-)
 @require_api_auth
+@limiter.limit("10/minute", key_func=lambda: g.user.id)
 def get_aliases_v2():
     """
     Get aliases
diff --git a/app/app/dashboard/views/custom_alias.py b/app/app/dashboard/views/custom_alias.py
index ac73a35..b8f1e39 100644
--- a/app/app/dashboard/views/custom_alias.py
+++ b/app/app/dashboard/views/custom_alias.py
@@ -24,6 +24,7 @@ from app.models import (
     AliasMailbox,
     DomainDeletedAlias,
 )
+from app.utils import CSRFValidationForm
 
 
 @dashboard_bp.route("/custom_alias", methods=["GET", "POST"])
@@ -48,9 +49,13 @@ def custom_alias():
             at_least_a_premium_domain = True
             break
 
+    csrf_form = CSRFValidationForm()
     mailboxes = current_user.mailboxes()
 
     if request.method == "POST":
+        if not csrf_form.validate():
+            flash("Invalid request", "warning")
+            return redirect(request.url)
         alias_prefix = request.form.get("prefix").strip().lower().replace(" ", "")
         signed_alias_suffix = request.form.get("signed-alias-suffix")
         mailbox_ids = request.form.getlist("mailboxes")
@@ -164,4 +169,5 @@ def custom_alias():
         alias_suffixes=alias_suffixes,
         at_least_a_premium_domain=at_least_a_premium_domain,
         mailboxes=mailboxes,
+        csrf_form=csrf_form,
     )
diff --git a/app/app/dashboard/views/index.py b/app/app/dashboard/views/index.py
index 6a14533..829f170 100644
--- a/app/app/dashboard/views/index.py
+++ b/app/app/dashboard/views/index.py
@@ -57,10 +57,7 @@ def get_stats(user: User) -> Stats:
     methods=["POST"],
     exempt_when=lambda: request.form.get("form-name") != "create-random-email",
 )
-@limiter.limit(
-    "5/minute",
-    methods=["GET"],
-)
+@limiter.limit("10/minute", methods=["GET"], key_func=lambda: current_user.id)
 @login_required
 @parallel_limiter.lock(
     name="alias_creation",
diff --git a/app/templates/dashboard/custom_alias.html b/app/templates/dashboard/custom_alias.html
index 8858658..18ea445 100644
--- a/app/templates/dashboard/custom_alias.html
+++ b/app/templates/dashboard/custom_alias.html
@@ -93,6 +93,7 @@
         </div>
         <div class="row">
           <div class="col p-1">
+            {{ csrf_form.csrf_token }}
             <button type="submit" id="create" class="btn btn-primary mt-1">Create</button>
           </div>
         </div>