diff --git a/routers/web/web.go b/routers/web/web.go
index 55a64ee7d5dde..7808fba0ebc9c 100644
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -277,9 +277,15 @@ func RegisterRoutes(m *web.Route) {
 			m.Get("/{provider}", auth.SignInOAuth)
 			m.Get("/{provider}/callback", auth.SignInOAuthCallback)
 		})
-		m.Get("/link_account", auth.LinkAccount)
-		m.Post("/link_account_signin", bindIgnErr(forms.SignInForm{}), auth.LinkAccountPostSignIn)
-		m.Post("/link_account_signup", bindIgnErr(forms.RegisterForm{}), auth.LinkAccountPostRegister)
+		m.Group("/link_account", func() {
+			m.Get("", auth.LinkAccount)
+		}, openIDSignInEnabled)
+		m.Group("/link_account_signin", func() {
+			m.Post("", bindIgnErr(forms.SignInForm{}), auth.LinkAccountPostSignIn)
+		}, openIDSignInEnabled)
+		m.Group("/link_account_signup", func() {
+			m.Post("", bindIgnErr(forms.RegisterForm{}), auth.LinkAccountPostRegister)
+		}, openIDSignUpEnabled)
 		m.Group("/two_factor", func() {
 			m.Get("", auth.TwoFactor)
 			m.Post("", bindIgnErr(forms.TwoFactorAuthForm{}), auth.TwoFactorPost)
@@ -342,7 +348,9 @@ func RegisterRoutes(m *web.Route) {
 				m.Post("/delete", security.DeleteOpenID)
 				m.Post("/toggle_visibility", security.ToggleOpenIDVisibility)
 			}, openIDSignInEnabled)
-			m.Post("/account_link", security.DeleteAccountLink)
+			m.Group("/account_link", func() {
+				m.Post("", security.DeleteAccountLink)
+			}, openIDSignInEnabled)
 		})
 		m.Group("/applications/oauth2", func() {
 			m.Get("/{id}", user_setting.OAuth2ApplicationShow)