diff --git a/Options.ini b/Options.ini
index 3483e31..518582d 100644
--- a/Options.ini
+++ b/Options.ini
@@ -1,13 +1,13 @@
 [DEFAULT]
-host = 'http://0.0.0.0:5000'
+host = http://0.0.0.0:5000
 max_desks = 8
 
 [SETTINGS]
 lockqrcode_whit_secret = True
 user = Admin
-path_json_settings = '/Server/json/availiable-products.json'
+path_json_settings = ./Server/json/availiable-products.json
 
 [OTHER]
 log_diagnose = True
-first_startup = False
+first_startup = True
 
diff --git a/README.md b/README.md
index 5371008..19ae1d2 100644
--- a/README.md
+++ b/README.md
@@ -21,7 +21,7 @@ Default has to be changed to your needs:
 
 host -> is where the QR code points to whit secret if enabled.
 max_desks -> How many desk it shoud create.
-Execute in Terminal the "pip install -r required.txt" to download depending and "python app.py" to run the Flask server and whit it the webserver.
+Execute in Terminal "python3 -m venv .venv", for the virtual enviroment activate it whit "source .venv/bin/acitvate" (Linux) " or ".venv/Scripts/activate.bat" (Windows) and then "pip install -r required.txt" to download depending and "python app.py" to run the Flask server and whit it the webserver.
 
 ## 
 
diff --git a/Server/DB/querys.py b/Server/DB/querys.py
index e60f879..a42532f 100644
--- a/Server/DB/querys.py
+++ b/Server/DB/querys.py
@@ -2,9 +2,15 @@
 from loguru import logger
 import json
 import bcrypt
+import configparser
 
 from Server.DB.handler import QR, Product, Order, session, User
 
+config = configparser.ConfigParser()
+config.sections()
+config.read('Options.ini')
+
+
 class compare:
     def is_user_pass_valid(username, password):
         session_username = session.query(User).filter(User.username == username).one()
@@ -102,19 +108,20 @@ class get:
         return False
  '''
     def valid_products(get_json_=False):
-            with open(config['SETTINGS']['path_json_settings'], 'r') as file: 
-                #Parse Json Product List
-                products = json.load(file)
-            if get_json_: 
-                return products
-            else:
-                valide_products = []
-                for category in products.get('products'):
-                    for product in products.get('products').get(category):
-                        print(product)
-                        if int(product['quantity']) >= 0:
-                            valide_products.append(product['name'])
-                return valide_products
+        global config
+        with open(config['SETTINGS']['path_json_settings'], 'r') as file: 
+            #Parse Json Product List
+            products = json.load(file)
+        if get_json_: 
+            return products
+        else:
+            valide_products = []
+            for category in products.get('products'):
+                for product in products.get('products').get(category):
+                    print(product)
+                    if int(product['quantity']) >= 0:
+                        valide_products.append(product['name'])
+            return valide_products
 
     def all_orders():
         # All unfinished orders (finished is False or string "False")
diff --git a/Server/Host/flaskApp.py b/Server/Host/flaskApp.py
index dc924b0..0b22e59 100644
--- a/Server/Host/flaskApp.py
+++ b/Server/Host/flaskApp.py
@@ -37,7 +37,7 @@ login_manager.init_app(app)
 
 if config['OTHER']['first_startup'] == 'True':
     print("Please enter a Secure Admin Password:")
-    add._create_user('Admin',input())
+    add._create_user(config['SETTINGS']['user'],input())
     config.set('OTHER', 'first_startup', 'False')
     with open('Options.ini', 'w') as configfile:
         config.write(configfile)
@@ -112,9 +112,9 @@ def orders(): #TODO on new orderGet refresh orders list
 @app.route("/order_get", methods=['GET','POST'])
 def order_get():
     desk= 1
-
+    global config
     #POST order
-    if request.method == 'POST' and config['SETTINGS']['lockqrcode_whit_secret'] == True:
+    if request.method == 'POST' and config['SETTINGS']['lockqrcode_whit_secret'] == 'True':
         ordered_list = []
         desk = request.form['desk']
         form = request.form
@@ -133,18 +133,17 @@ def order_get():
     elif request.method == 'GET':
         desk = int(request.args['desk'])
         secret = int(request.args['secret'])
-        try:#TODO FIX! #Feature = True #TODO:Encryption Salting hasing and anti rainbow attack for qr code?? (needed?) 
-            if config['SETTINGS']['lockqrcode_whit_secret'] and compare.is_QRSecret_valid(desk,secret):
-                return render_template('index.html', desk=desk, MAX_DESKS=config['DEFAULT']['max_desks'], orderableItems = get.valid_products(get_json_=True))
-            elif config['SETTINGS']['lockqrcode_whit_secret'] == False:
-                return render_template('index.html', desk=desk, MAX_DESKS=config['DEFAULT']['max_desks'],orderableItems = get.valid_products(get_json_=True))
-            return '<h1>404 wrong Secret?</h1>' #TODO Make the HTML prettier for all 
-        except:
-            return '<h1>Server/code issue?</h1>'
-    elif config['SETTINGS']['lockqrcode_whit_secret'] == True:
+        if config['SETTINGS']['lockqrcode_whit_secret'] == 'True' and compare.is_QRSecret_valid(desk,secret):
+            return render_template('index.html', desk=desk, MAX_DESKS=int(config['DEFAULT']['max_desks']), orderableItems = get.valid_products(get_json_=True))
+        elif config['SETTINGS']['lockqrcode_whit_secret'] == 'False':
+            return render_template('index.html', desk=desk, MAX_DESKS=int(config['DEFAULT']['max_desks']),orderableItems = get.valid_products(get_json_=True))
+        else:
+            return '<h1>Somethign went wrong try again.</h1>' #TODO Make the HTML prettier for all 
+        return '<h1>404 wrong Secret?</h1>' #TODO Make the HTML prettier for all 
+    elif config['SETTINGS']['lockqrcode_whit_secret'] == 'True':
         return '<h1>your LOCKQRCODE is invalid.</h1>'
     else:
-        return render_template('index.html',desk=desk, MAX_DESKS=config['DEFAULT']['max_desks'],orderableItems = get.valid_products(get_json_=True))
+        return render_template('index.html',desk=desk, MAX_DESKS=int(config['DEFAULT']['max_desks']),orderableItems = get.valid_products(get_json_=True))
 
 app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///db.db'
 app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
diff --git a/Server/Host/templates/index.html b/Server/Host/templates/index.html
index c8bffe7..2fbb5e8 100644
--- a/Server/Host/templates/index.html
+++ b/Server/Host/templates/index.html
@@ -7,7 +7,8 @@
     <title>Document</title>
 </head>
 <body>
-    <form name="order" onsubmit="return validateForm()" action="{{ url_for('order_get') }}"  method="POST" class="flex-container">
+    <form name="order" onsubmit="return validateForm()" action="{{ url_for('order_get') }}" method="POST" class="flex-container">
+        <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
         <li class="box desk-nr">Tisch Nummer
             <div>
             <select name="desk" class="desk-select">
diff --git a/Server/Host/templates/orders.html b/Server/Host/templates/orders.html
index 78f6921..8fbc6aa 100644
--- a/Server/Host/templates/orders.html
+++ b/Server/Host/templates/orders.html
@@ -46,10 +46,7 @@
                 </ul>
             </td>
             <td>
-                <button 
-                    class="finish-btn" 
-                    onclick="markFinished({{ order[2] }})"
-                    id="btn-{{ order[2] }}">
+                <button class="finish-btn" onclick="markFinished({{ order[2] }})" id="btn-{{ order[2] }}">
                     Finished
                 </button>
             </td>
@@ -59,15 +56,17 @@
         <tr><td colspan="3">No open orders.</td></tr>
         {% endfor %}
     </table>
-
     <script>
+        var csrfToken = "{{ csrf_token() }}";
         // Track active timers for each order
         window.activeTimers = {};
 
         function markFinished(orderId) {
+            
             fetch('/orders', {
                 method: 'POST',
-                headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+                headers: { 'Content-Type': 'application/x-www-form-urlencoded', 
+                        'X-CSRFToken': csrfToken },
                 body: `order_id=${orderId}&action=finish`
             })
             .then(response => response.json())
@@ -106,7 +105,8 @@
 
             fetch('/orders', {
                 method: 'POST',
-                headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+                headers: { 'Content-Type': 'application/x-www-form-urlencoded' ,
+                    'X-CSRFToken': csrfToken },
                 body: `order_id=${orderId}&action=undo`
             })
             .then(response => response.json())
diff --git a/app.py b/app.py
index ba08ce1..0e0feda 100644
--- a/app.py
+++ b/app.py
@@ -20,7 +20,7 @@ you want async logging.
 def run(): #TODO: sys.stderr back to a file log??
     logger.add(sys.stderr, format="{time} {level} {message}", filter="startup", level="INFO")
     logger.add(sys.stderr, backtrace=True, diagnose=config['OTHER']['log_diagnose'])
-    app.run(debug=True)
+    app.run(debug=False)
 
 if __name__ == "__main__":
     #First startup is handled in DB/handler