diff --git a/lib/cartodb/controllers/analyses.js b/lib/cartodb/controllers/analyses.js
index be793bf1..3453b2de 100644
--- a/lib/cartodb/controllers/analyses.js
+++ b/lib/cartodb/controllers/analyses.js
@@ -21,9 +21,9 @@ AnalysesController.prototype.register = function (app) {
     app.get(
         `${mapconfigBasePath}/analyses/catalog`,
         cors(),
-        userMiddleware(),
-        locals(),
         cleanUpQueryParams(),
+        locals(),
+        userMiddleware(),
         layergroupToken(),
         credentials(),
         authorize(this.authApi),
diff --git a/lib/cartodb/controllers/layergroup.js b/lib/cartodb/controllers/layergroup.js
index c4e969e9..8e0c472d 100644
--- a/lib/cartodb/controllers/layergroup.js
+++ b/lib/cartodb/controllers/layergroup.js
@@ -57,9 +57,9 @@ LayergroupController.prototype.register = function(app) {
     app.get(
         `${mapconfigBasePath}/:token/:z/:x/:y@:scale_factor?x.:format`,
         cors(),
-        userMiddleware(),
-        locals(),
         cleanUpQueryParams(),
+        locals(),
+        userMiddleware(),
         layergroupToken(),
         credentials(),
         authorize(this.authApi),
@@ -81,9 +81,9 @@ LayergroupController.prototype.register = function(app) {
     app.get(
         `${mapconfigBasePath}/:token/:z/:x/:y.:format`,
         cors(),
-        userMiddleware(),
-        locals(),
         cleanUpQueryParams(),
+        locals(),
+        userMiddleware(),
         layergroupToken(),
         credentials(),
         authorize(this.authApi),
@@ -106,9 +106,9 @@ LayergroupController.prototype.register = function(app) {
         `${mapconfigBasePath}/:token/:layer/:z/:x/:y.(:format)`,
         distinguishLayergroupFromStaticRoute(),
         cors(),
-        userMiddleware(),
-        locals(),
         cleanUpQueryParams(),
+        locals(),
+        userMiddleware(),
         layergroupToken(),
         credentials(),
         authorize(this.authApi),
@@ -130,9 +130,9 @@ LayergroupController.prototype.register = function(app) {
     app.get(
         `${mapconfigBasePath}/:token/:layer/attributes/:fid`,
         cors(),
-        userMiddleware(),
-        locals(),
         cleanUpQueryParams(),
+        locals(),
+        userMiddleware(),
         layergroupToken(),
         credentials(),
         authorize(this.authApi),
@@ -152,9 +152,9 @@ LayergroupController.prototype.register = function(app) {
     app.get(
         `${mapconfigBasePath}/static/center/:token/:z/:lat/:lng/:width/:height.:format`,
         cors(),
-        userMiddleware(),
-        locals(),
         cleanUpQueryParams(['layer']),
+        locals(),
+        userMiddleware(),
         layergroupToken(),
         credentials(),
         authorize(this.authApi),
@@ -172,9 +172,9 @@ LayergroupController.prototype.register = function(app) {
     app.get(
         `${mapconfigBasePath}/static/bbox/:token/:west,:south,:east,:north/:width/:height.:format`,
         cors(),
-        userMiddleware(),
-        locals(),
         cleanUpQueryParams(['layer']),
+        locals(),
+        userMiddleware(),
         layergroupToken(),
         credentials(),
         authorize(this.authApi),
@@ -210,9 +210,9 @@ LayergroupController.prototype.register = function(app) {
     app.get(
         `${mapconfigBasePath}/:token/dataview/:dataviewName`,
         cors(),
-        userMiddleware(),
-        locals(),
         cleanUpQueryParams(allowedDataviewQueryParams),
+        locals(),
+        userMiddleware(),
         layergroupToken(),
         credentials(),
         authorize(this.authApi),
@@ -230,9 +230,9 @@ LayergroupController.prototype.register = function(app) {
     app.get(
         `${mapconfigBasePath}/:token/:layer/widget/:dataviewName`,
         cors(),
-        userMiddleware(),
-        locals(),
         cleanUpQueryParams(allowedDataviewQueryParams),
+        locals(),
+        userMiddleware(),
         layergroupToken(),
         credentials(),
         authorize(this.authApi),
@@ -250,9 +250,9 @@ LayergroupController.prototype.register = function(app) {
     app.get(
         `${mapconfigBasePath}/:token/dataview/:dataviewName/search`,
         cors(),
-        userMiddleware(),
-        locals(),
         cleanUpQueryParams(allowedDataviewQueryParams),
+        locals(),
+        userMiddleware(),
         layergroupToken(),
         credentials(),
         authorize(this.authApi),
@@ -270,9 +270,9 @@ LayergroupController.prototype.register = function(app) {
     app.get(
         `${mapconfigBasePath}/:token/:layer/widget/:dataviewName/search`,
         cors(),
-        userMiddleware(),
-        locals(),
         cleanUpQueryParams(allowedDataviewQueryParams),
+        locals(),
+        userMiddleware(),
         layergroupToken(),
         credentials(),
         authorize(this.authApi),
@@ -290,9 +290,9 @@ LayergroupController.prototype.register = function(app) {
     app.get(
         `${mapconfigBasePath}/:token/analysis/node/:nodeId`,
         cors(),
-        userMiddleware(),
-        locals(),
         cleanUpQueryParams(),
+        locals(),
+        userMiddleware(),
         layergroupToken(),
         credentials(),
         authorize(this.authApi),
diff --git a/lib/cartodb/controllers/map.js b/lib/cartodb/controllers/map.js
index d9753726..4adbd3b0 100644
--- a/lib/cartodb/controllers/map.js
+++ b/lib/cartodb/controllers/map.js
@@ -73,9 +73,9 @@ MapController.prototype.composeCreateMapMiddleware = function (useTemplate = fal
 
     return [
         cors(),
-        userMiddleware(),
-        locals(),
         cleanUpQueryParams(['aggregation']),
+        locals(),
+        userMiddleware(),
         layergroupToken(),
         credentials(),
         authorize(this.authApi),
diff --git a/lib/cartodb/controllers/named_maps.js b/lib/cartodb/controllers/named_maps.js
index 433c31b0..703c17b6 100644
--- a/lib/cartodb/controllers/named_maps.js
+++ b/lib/cartodb/controllers/named_maps.js
@@ -52,9 +52,9 @@ NamedMapsController.prototype.register = function(app) {
     app.get(
         `${templateBasePath}/:template_id/:layer/:z/:x/:y.(:format)`,
         cors(),
-        userMiddleware(),
-        locals(),
         cleanUpQueryParams(),
+        locals(),
+        userMiddleware(),
         layergroupToken(),
         credentials(),
         authorize(this.authApi),
@@ -80,9 +80,9 @@ NamedMapsController.prototype.register = function(app) {
     app.get(
         `${mapconfigBasePath}/static/named/:template_id/:width/:height.:format`,
         cors(),
-        userMiddleware(),
-        locals(),
         cleanUpQueryParams(['layer', 'zoom', 'lon', 'lat', 'bbox']),
+        locals(),
+        userMiddleware(),
         layergroupToken(),
         credentials(),
         authorize(this.authApi),
diff --git a/lib/cartodb/controllers/named_maps_admin.js b/lib/cartodb/controllers/named_maps_admin.js
index a662f67b..96d8d8ae 100644
--- a/lib/cartodb/controllers/named_maps_admin.js
+++ b/lib/cartodb/controllers/named_maps_admin.js
@@ -23,8 +23,8 @@ NamedMapsAdminController.prototype.register = function (app) {
     app.post(
         `${templateBasePath}/`,
         cors(),
-        userMiddleware(),
         localsMiddleware(),
+        userMiddleware(),
         credentialsMiddleware(),
         checkContentType({ action: 'POST', label: 'POST TEMPLATE' }),
         authorizedByAPIKey({ authApi: this.authApi, action: 'create', label: 'POST TEMPLATE' }),
@@ -35,8 +35,8 @@ NamedMapsAdminController.prototype.register = function (app) {
     app.put(
         `${templateBasePath}/:template_id`,
         cors(),
-        userMiddleware(),
         localsMiddleware(),
+        userMiddleware(),
         credentialsMiddleware(),
         checkContentType({ action: 'PUT', label: 'PUT TEMPLATE' }),
         authorizedByAPIKey({ authApi: this.authApi, action: 'update', label: 'PUT TEMPLATE' }),
@@ -47,8 +47,8 @@ NamedMapsAdminController.prototype.register = function (app) {
     app.get(
         `${templateBasePath}/:template_id`,
         cors(),
-        userMiddleware(),
         localsMiddleware(),
+        userMiddleware(),
         credentialsMiddleware(),
         authorizedByAPIKey({ authApi: this.authApi, action: 'get', label: 'GET TEMPLATE' }),
         retrieveTemplate({ templateMaps: this.templateMaps }),
@@ -58,8 +58,8 @@ NamedMapsAdminController.prototype.register = function (app) {
     app.delete(
         `${templateBasePath}/:template_id`,
         cors(),
-        userMiddleware(),
         localsMiddleware(),
+        userMiddleware(),
         credentialsMiddleware(),
         authorizedByAPIKey({ authApi: this.authApi, action: 'delete', label: 'DELETE TEMPLATE' }),
         destroyTemplate({ templateMaps: this.templateMaps }),
@@ -69,8 +69,8 @@ NamedMapsAdminController.prototype.register = function (app) {
     app.get(
         `${templateBasePath}/`,
         cors(),
-        userMiddleware(),
         localsMiddleware(),
+        userMiddleware(),
         credentialsMiddleware(),
         authorizedByAPIKey({ authApi: this.authApi, action: 'list', label: 'GET TEMPLATE LIST' }),
         listTemplates({ templateMaps: this.templateMaps }),
diff --git a/lib/cartodb/middleware/clean-up-query-params.js b/lib/cartodb/middleware/clean-up-query-params.js
index d5c93c07..768b35f2 100644
--- a/lib/cartodb/middleware/clean-up-query-params.js
+++ b/lib/cartodb/middleware/clean-up-query-params.js
@@ -24,9 +24,6 @@ module.exports = function cleanUpQueryParamsMiddleware (customQueryParams = [])
 
         req.query = _.pick(req.query, allowedQueryParams);
 
-        // bring all query values onto res.locals object
-        _.extend(res.locals, req.query);
-
         next();
     };
 };
diff --git a/lib/cartodb/middleware/locals.js b/lib/cartodb/middleware/locals.js
index f6f70923..2629767e 100644
--- a/lib/cartodb/middleware/locals.js
+++ b/lib/cartodb/middleware/locals.js
@@ -1,6 +1,6 @@
 module.exports = function locals () {
     return function localsMiddleware (req, res, next) {
-        res.locals = Object.assign(req.params || {}, res.locals);
+        res.locals = Object.assign({}, req.query, req.params);
 
         next();
     };