Following from T212468, XHGui 0.9 adds two new deletion methods that use the "GET" verb (that is, following or clicking a link) without confirmation or authorization requirements.
I've disabled these during the upgrade with a local hot-fix, but I'm working with upstream to either make these configurable or to make them use POST with a confirmation page.
Then, we can update our server configuration to catch these similar to how we catch the POST routes for the "Watch functions" feature, which we limit to wmf/nda currently. ([source config](https://github.com/wikimedia/puppet/blob/86630974db49aefd56501bd763f05e127e3382ce/modules/role/templates/apache/sites/xhgui.erb#L7), [config params](https://github.com/wikimedia/puppet/blob/d489cac509b9921cc948335f76979a68e04178e0/modules/role/manifests/xhgui/app.pp#L31-L41)).