diff --git a/uffd/__init__.py b/uffd/__init__.py
index 30280972254264079a66fbbbca645776340bfb0b..0f071fb907513a30a589e9e0f11d93709655b79b 100644
--- a/uffd/__init__.py
+++ b/uffd/__init__.py
@@ -1,4 +1,5 @@
 import os
+import secrets
 
 from flask import Flask, redirect, url_for
 from werkzeug.routing import IntegerConverter
@@ -16,7 +17,7 @@ def create_app(test_config=None):
 	# set development default config values
 	app.config.from_mapping(
 		TEMPLATES_AUTO_RELOAD=True,
-		SECRET_KEY=os.urandom(128),
+		SECRET_KEY=secrets.token_hex(128),
 		SQLALCHEMY_DATABASE_URI="sqlite:///{}".format(os.path.join(app.instance_path, 'uffd.sqlit3')),
 		SQLALCHEMY_ECHO=True,
 	)
diff --git a/uffd/session/views.py b/uffd/session/views.py
index 2590b0b7d39cb6ac5cf947e2e2fc3abde353ba8b..269c0a49a721abf6af5bcf18535b1bab529462e9 100644
--- a/uffd/session/views.py
+++ b/uffd/session/views.py
@@ -1,5 +1,5 @@
 import datetime
-import random
+import secrets
 import string
 import functools
 
@@ -38,7 +38,7 @@ def login():
 		return redirect(url_for('.login'))
 	session['user_uid'] = user.uid
 	session['logintime'] = datetime.datetime.now().timestamp()
-	session['_csrf_token'] = ''.join(random.SystemRandom().choice(string.ascii_letters + string.digits) for _ in range(64))
+	session['_csrf_token'] = secrets.token_hex(128)
 	return redirect(request.values.get('ref', url_for('index')))
 
 def get_current_user():