diff --git a/lib/history.js b/lib/history.js
index e0c16da5e..9c9d35c01 100644
--- a/lib/history.js
+++ b/lib/history.js
@@ -174,26 +174,31 @@ function historyPost (req, res) {
 }
 
 function historyDelete (req, res) {
-  if (req.isAuthenticated()) {
-    const noteId = req.params.noteId
-    if (!noteId) {
-      setHistory(req.user.id, [], function (err, count) {
+  if (!req.isAuthenticated()) {
+    return errors.errorForbidden(res)
+  }
+
+  const token = req.query.token
+  if (!token || token !== req.user.deleteToken) {
+    return errors.errorForbidden(res)
+  }
+
+  const noteId = req.params.noteId
+  if (!noteId) {
+    setHistory(req.user.id, [], function (err, count) {
+      if (err) return errors.errorInternalError(res)
+      res.end()
+    })
+  } else {
+    getHistory(req.user.id, function (err, history) {
+      if (err) return errors.errorInternalError(res)
+      if (!history) return errors.errorNotFound(res)
+      delete history[noteId]
+      setHistory(req.user.id, history, function (err, count) {
         if (err) return errors.errorInternalError(res)
         res.end()
       })
-    } else {
-      getHistory(req.user.id, function (err, history) {
-        if (err) return errors.errorInternalError(res)
-        if (!history) return errors.errorNotFound(res)
-        delete history[noteId]
-        setHistory(req.user.id, history, function (err, count) {
-          if (err) return errors.errorInternalError(res)
-          res.end()
-        })
-      })
-    }
-  } else {
-    return errors.errorForbidden(res)
+    })
   }
 }
 
diff --git a/lib/web/statusRouter.js b/lib/web/statusRouter.js
index a807eee24..543284f0f 100644
--- a/lib/web/statusRouter.js
+++ b/lib/web/statusRouter.js
@@ -111,7 +111,8 @@ statusRouter.get('/config', function (req, res) {
     DROPBOX_APP_KEY: config.dropbox.appKey,
     allowedUploadMimeTypes: config.allowedUploadMimeTypes,
     linkifyHeaderStyle: config.linkifyHeaderStyle,
-    cookiePolicy: config.cookiePolicy
+    cookiePolicy: config.cookiePolicy,
+    userToken: req.user ? req.user.deleteToken : ''
   }
   res.set({
     'Cache-Control': 'private', // only cache by client
diff --git a/public/js/history.js b/public/js/history.js
index 0dc3e5e5c..648f2415a 100644
--- a/public/js/history.js
+++ b/public/js/history.js
@@ -296,7 +296,7 @@ export function postHistoryToServer (noteId, data, callback) {
 
 export function deleteServerHistory (noteId, callback) {
   $.ajax({
-    url: `${serverurl}/history${noteId ? '/' + noteId : ''}`,
+    url: `${serverurl}/history${noteId ? '/' + noteId : ''}?token=${window.userToken}`,
     type: 'DELETE'
   })
     .done(result => callback(null, result))
diff --git a/public/js/lib/common/constant.ejs b/public/js/lib/common/constant.ejs
index 2a32c3333..8a776829b 100644
--- a/public/js/lib/common/constant.ejs
+++ b/public/js/lib/common/constant.ejs
@@ -10,3 +10,4 @@ window.linkifyHeaderStyle = '<%- linkifyHeaderStyle %>'
 window.DROPBOX_APP_KEY = '<%- DROPBOX_APP_KEY %>'
 
 window.cookiePolicy = '<%- cookiePolicy %>'
+window.userToken = '<%- userToken %>'