diff --git a/main.go b/main.go
index 168b4c3..2a69256 100644
--- a/main.go
+++ b/main.go
@@ -83,6 +83,13 @@ func csrfSecret() string {
 	}
 	return string(bytes)
 }
+type CSRFErrorHandler struct {}
+
+func (self CSRFErrorHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+    fmt.Println("csrf Failure: ")
+    fmt.Println(csrf.FailureReason(r))
+    fmt.Println("-----") 
+}
 
 func main() {
 	fmt.Println("transmet ", VERSION)
@@ -95,10 +102,14 @@ func main() {
 	loadConfig(*envFlag)
 	dbConnect()
 	initTemplates()
+	//CSRF := csrf.Protect([]byte(csrfSecret()));
 	r := init_route_handlers()
-
+	errHandle := csrf.ErrorHandler( CSRFErrorHandler{} )
+	sec := csrf.Secure(false)
+	 
 	fmt.Println("Listening on", config.Port, "...")
-	err := http.ListenAndServe(":"+config.Port, csrf.Protect([]byte(csrfSecret()))(r))
+	
+	err := http.ListenAndServe(":"+config.Port, csrf.Protect([]byte("12345678901234567890123456789012"), errHandle, sec)(r))  //csrfSecret()))(r))
 	if err != nil {
 		fmt.Println("Fatal Error: ", err)
 	}
diff --git a/route_handlers.go b/route_handlers.go
index f6ee6ac..7e2e9be 100644
--- a/route_handlers.go
+++ b/route_handlers.go
@@ -76,6 +76,7 @@ func LoginFormHandler(w http.ResponseWriter, r *http.Request) {
 //  TODO: proper per account and client flood control rate limiting
 //    currently weak per call slow down is by-passable at scale
 func LoginPostHandler(w http.ResponseWriter, r *http.Request) {
+	fmt.Println("LoginPostHandler()")
 	time.Sleep(500 * time.Millisecond) // WEAK poor mans rate limiting for logins
 	r.ParseForm()
 	username := r.PostFormValue("username")
@@ -420,14 +421,24 @@ func ServeFileHandler(res http.ResponseWriter, req *http.Request) {
 }
 
 func init_route_handlers() *mux.Router {
+
+	// Mux + CSRF
 	r := mux.NewRouter()
 
-	r.Handle("/js/", http.StripPrefix("/js/", http.FileServer(http.Dir("js/"))))
-	r.Handle("/css/", http.StripPrefix("/css/", http.FileServer(http.Dir("css/"))))
-	r.Handle("/fonts/", http.StripPrefix("/fonts", http.FileServer(http.Dir("fonts/"))))
+
+	// Basic Handle - static files - no CSRF wrapper
+	r.PathPrefix("/js/").Handler(http.StripPrefix("/js/", http.FileServer(http.Dir("js/"))))
+	r.PathPrefix("/css/").Handler(http.StripPrefix("/css/", http.FileServer(http.Dir("css/"))))
+	r.PathPrefix("/fonts/").Handler(http.StripPrefix("/fonts", http.FileServer(http.Dir("fonts/"))))
 	r.HandleFunc("/favicon.ico", ServeFileHandler)
 
-	r.HandleFunc("/login", getPostHandler(LoginFormHandler, LoginPostHandler))
+	
+	rGet := r.Methods("GET").Subrouter()
+	rPost := r.Methods("POST").Subrouter()
+	
+	rGet.HandleFunc("/login", LoginFormHandler)
+	rPost.HandleFunc("/login", LoginPostHandler)
+	
 	r.HandleFunc("/logout", userHandler(LogoutHandler))
 
 	r.HandleFunc("/add", getPostHandler(userHandler(addFormHandler), userHandler(addPostHandler)))
@@ -444,7 +455,7 @@ func init_route_handlers() *mux.Router {
 	r.HandleFunc("/categories/add", userHandler(categoryAddHandler))
 	r.HandleFunc("/categories/delete", userHandler(categoryDeleteHandler))
 
-	http.Handle("/", r)
+	//http.Handle("/", r)
 
 	return r
 }