diff --git a/handler/auth.go b/handler/auth.go
index d92aa21..8a8577b 100644
--- a/handler/auth.go
+++ b/handler/auth.go
@@ -45,8 +45,8 @@ func (handler AuthImpl) Handle(router *http.ServeMux) {
 	router.Handle("/auth/delete-account", handler.handleDeleteAccountPage())
 	router.Handle("/api/auth/delete-account", handler.handleDeleteAccountComp())
 
-	router.Handle("/auth/change-password", handler.handleChangePasswordPage())
-	router.Handle("/api/auth/change-password", handler.handleChangePasswordComp())
+	router.Handle("GET /auth/change-password", handler.handleChangePasswordPage())
+	router.Handle("POST /api/auth/change-password", handler.handleChangePasswordComp())
 
 	router.Handle("/auth/forgot-password", handler.handleForgotPasswordPage())
 	router.Handle("/api/auth/forgot-password", handler.handleForgotPasswordComp())
@@ -307,7 +307,7 @@ func (handler AuthImpl) handleChangePasswordComp() http.HandlerFunc {
 		session := middleware.GetSession(r)
 		user := middleware.GetUser(r)
 		if session == nil || user == nil {
-			utils.DoRedirect(w, r, "/auth/signin")
+			utils.TriggerToast(w, r, "error", "Unathorized", http.StatusUnauthorized)
 			return
 		}
 
@@ -316,7 +316,7 @@ func (handler AuthImpl) handleChangePasswordComp() http.HandlerFunc {
 
 		err := handler.service.ChangePassword(user, session.Id, currPass, newPass)
 		if err != nil {
-			utils.TriggerToast(w, r, "error", "Password not correct", http.StatusUnauthorized)
+			utils.TriggerToast(w, r, "error", "Password not correct", http.StatusBadRequest)
 			return
 		}
 
diff --git a/main_test.go b/main_test.go
index 325da6b..bcef8a7 100644
--- a/main_test.go
+++ b/main_test.go
@@ -933,7 +933,187 @@ func TestIntegrationAuth(t *testing.T) {
 			assert.Equal(t, 0, rows)
 		})
 	})
+
 	t.Run("ChangePassword", func(t *testing.T) {
+		t.Run(`should redirect to "/" if not signed in`, func(t *testing.T) {
+			t.Parallel()
+
+			_, basePath, ctx := setupIntegrationTest(t)
+
+			req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/change-password", nil)
+			assert.Nil(t, err)
+			resp, err := httpClient.Do(req)
+			assert.Nil(t, err)
+
+			assert.Equal(t, http.StatusSeeOther, resp.StatusCode)
+			assert.Equal(t, "/auth/signin", resp.Header.Get("Location"))
+		})
+		t.Run(`should throw unautohorized if not signed in`, func(t *testing.T) {
+			t.Parallel()
+
+			_, basePath, ctx := setupIntegrationTest(t)
+
+			req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/signin", nil)
+			assert.Nil(t, err)
+			resp, err := httpClient.Do(req)
+			assert.Nil(t, err)
+			html, err := html.Parse(resp.Body)
+			assert.Nil(t, err)
+			anonymousCsrfToken := findCsrfToken(html)
+			assert.NotEqual(t, "", anonymousCsrfToken)
+			anonymousSessionId := findCookie(resp, "id").Value
+			assert.NotEqual(t, "", anonymousSessionId)
+
+			formData := url.Values{
+				"current-password": {"password"},
+				"new-password":     {"MyNewSecurePassword1!"},
+				"csrf-token":       {anonymousCsrfToken},
+			}
+			req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/change-password", strings.NewReader(formData.Encode()))
+			assert.Nil(t, err)
+			req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+			req.Header.Set("Cookie", "id="+anonymousSessionId)
+			req.Header.Set("HX-Request", "true")
+			resp, err = httpClient.Do(req)
+			assert.Nil(t, err)
+
+			assert.Equal(t, http.StatusUnauthorized, resp.StatusCode)
+		})
+		t.Run(`should fail if csrf token is invalid`, func(t *testing.T) {
+			t.Parallel()
+
+			db, basePath, ctx := setupIntegrationTest(t)
+			userId := uuid.New()
+
+			pass := service.GetHashPassword("password", []byte("salt"))
+			_, err := db.Exec(`
+			INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at) 
+			VALUES (?, "mail@mail.de", FALSE, FALSE, ?, ?, datetime())`, userId, pass, []byte("salt"))
+
+			sessionId := "session-id"
+			assert.Nil(t, err)
+			_, err = db.Exec(`
+			INSERT INTO session (session_id, user_id, created_at, expires_at)
+			VALUES (?, ?, datetime(), datetime("now", "+1 day"))`, sessionId, userId)
+			assert.Nil(t, err)
+
+			formData := url.Values{
+				"current-password": {"password"},
+				"new-password":     {"MyNewSecurePassword1!"},
+				"csrf-token":       {"invalid-csrf-token"},
+			}
+
+			req, err := http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/change-password", strings.NewReader(formData.Encode()))
+			assert.Nil(t, err)
+			req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+			req.Header.Set("Cookie", "id="+sessionId)
+			req.Header.Set("HX-Request", "true")
+			resp, err := httpClient.Do(req)
+			assert.Nil(t, err)
+
+			assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
+
+			var rows int
+			err = db.QueryRow("SELECT COUNT(*) FROM user WHERE user_id = ? AND password = ?", userId, pass).Scan(&rows)
+			assert.Nil(t, err)
+			assert.Equal(t, 1, rows)
+		})
+		t.Run("should fail if current password does not match", func(t *testing.T) {
+			t.Parallel()
+
+			db, basePath, ctx := setupIntegrationTest(t)
+			userId := uuid.New()
+			pass := service.GetHashPassword("password", []byte("salt"))
+
+			_, err := db.Exec(`
+				INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at) 
+				VALUES (?, "mail@mail.de", FALSE, FALSE, ?, ?, datetime())`, userId, pass, []byte("salt"))
+
+			sessionId := "session-id"
+			assert.Nil(t, err)
+			_, err = db.Exec(`
+				INSERT INTO session (session_id, user_id, created_at, expires_at)
+				VALUES (?, ?, datetime(), datetime("now", "+1 day"))`, sessionId, userId)
+			assert.Nil(t, err)
+
+			req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/change-password", nil)
+			assert.Nil(t, err)
+			req.Header.Set("Cookie", "id="+sessionId)
+			resp, err := httpClient.Do(req)
+			assert.Nil(t, err)
+			html, err := html.Parse(resp.Body)
+			assert.Nil(t, err)
+			csrfToken := findCsrfToken(html)
+			assert.NotEqual(t, "", csrfToken)
+
+			formData := url.Values{
+				"current-password": {"wrong-password"},
+				"new-password":     {"MyNewSecurePassword1!"},
+				"csrf-token":       {csrfToken},
+			}
+			req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/change-password", strings.NewReader(formData.Encode()))
+			assert.Nil(t, err)
+			req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+			req.Header.Set("Cookie", "id="+sessionId)
+			req.Header.Set("HX-Request", "true")
+			resp, err = httpClient.Do(req)
+			assert.Nil(t, err)
+
+			assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
+
+			var rows int
+			err = db.QueryRow("SELECT COUNT(*) FROM user WHERE user_id = ? AND password = ?", userId, pass).Scan(&rows)
+			assert.Nil(t, err)
+			assert.Equal(t, 1, rows)
+		})
+		t.Run("should fail if new password is insecure", func(t *testing.T) {
+			t.Parallel()
+
+			db, basePath, ctx := setupIntegrationTest(t)
+			userId := uuid.New()
+			pass := service.GetHashPassword("password", []byte("salt"))
+
+			_, err := db.Exec(`
+				INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at) 
+				VALUES (?, "mail@mail.de", FALSE, FALSE, ?, ?, datetime())`, userId, pass, []byte("salt"))
+
+			sessionId := "session-id"
+			assert.Nil(t, err)
+			_, err = db.Exec(`
+				INSERT INTO session (session_id, user_id, created_at, expires_at)
+				VALUES (?, ?, datetime(), datetime("now", "+1 day"))`, sessionId, userId)
+			assert.Nil(t, err)
+
+			req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/change-password", nil)
+			assert.Nil(t, err)
+			req.Header.Set("Cookie", "id="+sessionId)
+			resp, err := httpClient.Do(req)
+			assert.Nil(t, err)
+			html, err := html.Parse(resp.Body)
+			assert.Nil(t, err)
+			csrfToken := findCsrfToken(html)
+			assert.NotEqual(t, "", csrfToken)
+
+			formData := url.Values{
+				"current-password": {"password"},
+				"new-password":     {"insecure-password"},
+				"csrf-token":       {csrfToken},
+			}
+			req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/change-password", strings.NewReader(formData.Encode()))
+			assert.Nil(t, err)
+			req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+			req.Header.Set("Cookie", "id="+sessionId)
+			req.Header.Set("HX-Request", "true")
+			resp, err = httpClient.Do(req)
+			assert.Nil(t, err)
+
+			assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
+
+			var rows int
+			err = db.QueryRow("SELECT COUNT(*) FROM user WHERE user_id = ? AND password = ?", userId, pass).Scan(&rows)
+			assert.Nil(t, err)
+			assert.Equal(t, 1, rows)
+		})
 		t.Run("should change password and invalidate all other user sessions", func(t *testing.T) {
 			t.Parallel()
 
@@ -989,6 +1169,12 @@ func TestIntegrationAuth(t *testing.T) {
 
 			assert.Equal(t, http.StatusOK, resp.StatusCode)
 
+			pass = service.GetHashPassword("MyNewSecurePassword1!", []byte("salt"))
+			var rows int
+			err = db.QueryRow("SELECT COUNT(*) FROM user WHERE user_id = ? AND password = ?", userId, pass).Scan(&rows)
+			assert.Nil(t, err)
+			assert.Equal(t, 1, rows)
+
 			var sessionIds []string
 			sessions, err := db.Query(`SELECT session_id FROM session WHERE NOT user_id = ? ORDER BY session_id`, uuid.Nil)
 			assert.Nil(t, err)