diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Base/ApiControllerBase.php b/src/opnsense/mvc/app/controllers/OPNsense/Base/ApiControllerBase.php
index a4e4dca49..e5fc4b8c2 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/Base/ApiControllerBase.php
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Base/ApiControllerBase.php
@@ -171,6 +171,7 @@ class ApiControllerBase extends ControllerRoot
             // handle UI ajax requests
             // use session data and ACL to validate request.
             if (!$this->doAuth()) {
+                $this->response->setStatusCode(401, "Unauthorized");
                 return false;
             }
 
@@ -185,6 +186,7 @@ class ApiControllerBase extends ControllerRoot
             ) {
                 // missing csrf, exit.
                 $this->getLogger()->error("no matching csrf found for request");
+                $this->response->setStatusCode(403, "Forbidden");
                 return false;
             }
         }
diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerBase.php b/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerBase.php
index 83dd02571..5ed13b256 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerBase.php
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerBase.php
@@ -179,6 +179,7 @@ class ControllerBase extends ControllerRoot
             // check for valid csrf on post requests
             if ($this->request->isPost() && !$this->security->checkToken()) {
                 // post without csrf, exit.
+                $this->response->setStatusCode(403, "Forbidden");
                 return false;
             }