diff --git a/controllers/feed.php b/controllers/feed.php
index 598f8d2..6fc4eaf 100644
--- a/controllers/feed.php
+++ b/controllers/feed.php
@@ -218,14 +218,19 @@ Router\get_action('add', function() {
 // Add a feed with the form or directly from the url, it can be used by a bookmarklet by example
 Router\action('subscribe', function() {
 
-    if (Request\param('url')) {
-        $values = array();
-        $url = Request\param('url');
-    }
-    else {
+    if (Request\is_post()) {
         $values = Request\values();
         $url = isset($values['url']) ? $values['url'] : '';
     }
+    else {
+        $values = array();
+        $url = Request\param('url');
+        $token = Request\param('token');
+
+        if ($token !== Model\Config\get('bookmarklet_token')) {
+            Response\text('Access Forbidden', 403);
+        }
+    }
 
     $values += array('download_content' => 0);
     $url = trim($url);
diff --git a/models/config.php b/models/config.php
index c100ece..3c002d6 100644
--- a/models/config.php
+++ b/models/config.php
@@ -8,7 +8,7 @@ use PicoDb\Database;
 use PicoFeed\Config as ReaderConfig;
 use PicoFeed\Logging;
 
-const DB_VERSION = 25;
+const DB_VERSION = 26;
 const HTTP_USER_AGENT = 'Miniflux (http://miniflux.net)';
 
 // Get PicoFeed config
@@ -155,7 +155,7 @@ function get_nothing_to_read_redirections()
 function generate_token()
 {
     if (function_exists('openssl_random_pseudo_bytes')) {
-        return bin2hex(\openssl_random_pseudo_bytes(16));
+        return bin2hex(\openssl_random_pseudo_bytes(25));
     }
     else if (ini_get('open_basedir') === '' && strtoupper(substr(PHP_OS, 0, 3)) !== 'WIN') {
         return hash('sha256', file_get_contents('/dev/urandom', false, null, 0, 30));
@@ -170,6 +170,7 @@ function new_tokens()
     $values = array(
         'api_token' => generate_token(),
         'feed_token' => generate_token(),
+        'bookmarklet_token' => generate_token(),
     );
 
     return Database::get('db')->table('config')->update($values);
@@ -232,6 +233,7 @@ function get_all()
             'theme',
             'api_token',
             'feed_token',
+            'bookmarklet_token',
             'auth_google_token',
             'auth_mozilla_token',
             'items_sorting_direction',
diff --git a/models/schema.php b/models/schema.php
index 0e6fdf6..cf11d70 100644
--- a/models/schema.php
+++ b/models/schema.php
@@ -3,6 +3,12 @@
 namespace Schema;
 
 
+function version_26($pdo)
+{
+    $pdo->exec('ALTER TABLE config ADD COLUMN bookmarklet_token TEXT DEFAULT "'.\Model\Config\generate_token().'"');
+}
+
+
 function version_25($pdo)
 {
     $pdo->exec(
diff --git a/templates/config.php b/templates/config.php
index 193eac4..3e1cd5f 100644
--- a/templates/config.php
+++ b/templates/config.php
@@ -73,7 +73,7 @@
         <ul>
             <li>
                 <?= t('Bookmarklet:') ?>
-                <a href="javascript:location.href='<?= Helper\get_current_base_url() ?>?action=subscribe&amp;url='+encodeURIComponent(location.href)"><?= t('Subscribe with Miniflux') ?></a> (<?= t('Drag and drop this link to your bookmarks') ?>)
+                <a href="javascript:location.href='<?= Helper\get_current_base_url() ?>?action=subscribe&amp;token=<?= urlencode($values['bookmarklet_token']) ?>&amp;url='+encodeURIComponent(location.href)"><?= t('Subscribe with Miniflux') ?></a> (<?= t('Drag and drop this link to your bookmarks') ?>)
             <li>
                 <?= t('Bookmarks RSS Feed:') ?>
                 <a href="<?= Helper\get_current_base_url().'?action=bookmark-feed&amp;token='.urlencode($values['feed_token']) ?>" target="_blank"><?= Helper\get_current_base_url().'?action=bookmark-feed&amp;token='.urlencode($values['feed_token']) ?></a>
diff --git a/vendor/PicoFarad/Request.php b/vendor/PicoFarad/Request.php
index 46c82bc..970e695 100644
--- a/vendor/PicoFarad/Request.php
+++ b/vendor/PicoFarad/Request.php
@@ -75,4 +75,10 @@ function file_move($field, $destination)
         @mkdir(dirname($destination), 0777, true);
         move_uploaded_file($_FILES[$field]['tmp_name'], $destination);
     }
-}
\ No newline at end of file
+}
+
+
+function is_post()
+{
+    return isset($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] === 'POST';
+}