diff --git a/src/etc/inc/system.inc b/src/etc/inc/system.inc
index c298bdb7e..7dbb1a79a 100644
--- a/src/etc/inc/system.inc
+++ b/src/etc/inc/system.inc
@@ -963,6 +963,7 @@ function system_webgui_start()
     global $config;
 
     chdir('/usr/local/www');
+    @unlink('/usr/local/www/csrf/csrf-secret.php');
 
     /* defaults */
     $portarg = "80";
diff --git a/src/etc/rc b/src/etc/rc
index 82bfdedeb..a6e8f3729 100755
--- a/src/etc/rc
+++ b/src/etc/rc
@@ -183,7 +183,7 @@ echo "done."
 
 # let the PHP-based configuration subsystem set up the system now
 echo -n "Launching the init system..."
-rm -f /usr/local/www/csrf/csrf-secret.php /root/lighttpd*
+rm -f /root/lighttpd*
 touch /var/run/booting
 /usr/local/etc/rc.bootup
 rm /var/run/booting
diff --git a/src/www/csrf/csrf-magic.php b/src/www/csrf/csrf-magic.php
index 1eb97bf6a..0bf331cd4 100644
--- a/src/www/csrf/csrf-magic.php
+++ b/src/www/csrf/csrf-magic.php
@@ -425,6 +425,8 @@ function csrf_get_secret()
     }
     if (is_writable($dir)) {
         $secret = csrf_generate_secret();
+        touch($file);
+        chmod($file, 0600);
         $fh = fopen($file, 'w');
         fwrite($fh, '<?php $secret = "'.$secret.'";' . PHP_EOL);
         fclose($fh);