diff --git a/bugsink/settings/default.py b/bugsink/settings/default.py
index 478de23..95a3b95 100644
--- a/bugsink/settings/default.py
+++ b/bugsink/settings/default.py
@@ -81,7 +81,7 @@ MIDDLEWARE = [
     'whitenoise.middleware.WhiteNoiseMiddleware',
     'django.contrib.sessions.middleware.SessionMiddleware',
     'django.middleware.common.CommonMiddleware',
-    'django.middleware.csrf.CsrfViewMiddleware',
+    'verbose_csrf_middleware.CsrfViewMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
 
     'bugsink.middleware.LoginRequiredMiddleware',
diff --git a/requirements.txt b/requirements.txt
index 5cfa027..d4b26c1 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -14,3 +14,4 @@ requests  # for sentry-sdk-extensions, which is loaded in non-dev setup too
 monofy
 user_agents
 fastjsonschema
+verbose_csrf_middleware
diff --git a/templates/403_csrf.html b/templates/403_csrf.html
new file mode 100644
index 0000000..40d63a9
--- /dev/null
+++ b/templates/403_csrf.html
@@ -0,0 +1,19 @@
+{% extends "base.html" %}
+{% comment %}
+Note on security: the basic principle is "the more you expose, the more an attacker knows."
+In this case, I think it should be fine, because all we expose here is stuff about mismatched hosts, and:
+
+1. this will only happen while your site isn't properly configured yet
+2. bugsink recommends a setup with a single host, so this info is literally knowable by looking at the URL bar
+
+{% endcomment %}
+
+{% block title %}403 Forbidden{% endblock %}
+
+{% block content %}
+<div class="m-4">
+<h1 class="text-4xl mt-4 font-bold">CSRF verification failed, request aborted</h1>
+
+<div class="pt-2">{{ reason }}</div>
+</div>
+{% endblock %}