diff --git a/website/server/controllers/api-v3/tasks.js b/website/server/controllers/api-v3/tasks.js
index 0d5fc7e4d9..4cbad0101f 100644
--- a/website/server/controllers/api-v3/tasks.js
+++ b/website/server/controllers/api-v3/tasks.js
@@ -262,7 +262,7 @@ api.createChallengeTasks = {
 api.getUserTasks = {
   method: 'GET',
   url: '/tasks/user',
-  middlewares: [authWithHeaders()],
+  middlewares: [authWithHeaders(false, '_id preferences tasksOrder')],
   async handler (req, res) {
     let types = Tasks.tasksTypes.map(type => `${type}s`);
     types.push('completedTodos', '_allCompletedTodos'); // _allCompletedTodos is currently in BETA and is likely to be removed in future
@@ -517,7 +517,7 @@ api.updateTask = {
 api.scoreTask = {
   method: 'POST',
   url: '/tasks/:taskId/score/:direction',
-  middlewares: [authWithHeaders()],
+  middlewares: [authWithHeaders(false, '_id stats profile preferences tasksOrder _ABtests webhooks party guilds')],
   async handler (req, res) {
     req.checkParams('direction', res.t('directionUpDown')).notEmpty().isIn(['up', 'down']);
 
diff --git a/website/server/middlewares/auth.js b/website/server/middlewares/auth.js
index 9c1321425a..dbd810f823 100644
--- a/website/server/middlewares/auth.js
+++ b/website/server/middlewares/auth.js
@@ -12,7 +12,7 @@ const COMMUNITY_MANAGER_EMAIL = nconf.get('EMAILS:COMMUNITY_MANAGER_EMAIL');
 
 // Authenticate a request through the x-api-user and x-api key header
 // If optional is true, don't error on missing authentication
-export function authWithHeaders (optional = false) {
+export function authWithHeaders (optional = false, userFieldProjection = '') {
   return function authWithHeadersHandler (req, res, next) {
     let userId = req.header('x-api-user');
     let apiToken = req.header('x-api-key');
@@ -22,10 +22,16 @@ export function authWithHeaders (optional = false) {
       return next(new NotAuthorized(res.t('missingAuthHeaders')));
     }
 
-    return User.findOne({
+    const userQuery = {
       _id: userId,
       apiToken,
-    })
+    };
+
+    let fields = '';
+    if (userFieldProjection) fields = `notifications ${userFieldProjection}`;
+    const findPromise = fields ? User.findOne(userQuery, fields) : User.findOne(userQuery);
+
+    return findPromise
     .exec()
     .then((user) => {
       if (!user) throw new NotAuthorized(res.t('invalidCredentials'));