diff --git a/debian/contrib/uffd-nginxauth.cfg b/debian/contrib/uffd-nginxauth.cfg
index 6ff5c1b409784d511b649ceff09c768d2d9d3518..fc6203f5a718d4b43c2cd50f1b2b5db6abcc15a0 100644
--- a/debian/contrib/uffd-nginxauth.cfg
+++ b/debian/contrib/uffd-nginxauth.cfg
@@ -1,5 +1,5 @@
 FLASK_ENV="production"
-#SECRET=autogenerated by postinst script
+#SECRET_KEY=autogenerated by postinst script
 
 # URLs of the OAuth2-based identity provider (must be set!)
 #OAUTH2_AUTH_URL = 'http://localhost:5001/oauth2/authorize'
diff --git a/debian/postinst b/debian/postinst
index 176bc6e9597668a4e776b3840f4b1b511a6f6d07..b086fea0ed095841a93cb7f67f5e13f224a09af0 100755
--- a/debian/postinst
+++ b/debian/postinst
@@ -13,6 +13,18 @@ case "$1" in
 		chown root:uffd-nginxauth /etc/uffd-nginxauth/uffd-nginxauth.cfg
 		chmod 0640 /etc/uffd-nginxauth/uffd-nginxauth.cfg
 
+		python3 <<EOF
+import secrets
+cfg = open('/etc/uffd-nginxauth/uffd-nginxauth.cfg', 'r').read()
+cfg = cfg.replace('\n#SECRET_KEY=autogenerated by postinst script\n',
+                  '\nSECRET_KEY="'+secrets.token_hex(128)+'"\n', 1)
+# Prior to v0.2.1 the default config used a wrong name for SECRET_KEY
+if '\nSECRET_KEY=' not in cfg:
+	cfg = cfg.replace('\n#SECRET=autogenerated by postinst script\n',
+	                  '\nSECRET_KEY="'+secrets.token_hex(128)+'"\n', 1)
+open('/etc/uffd-nginxauth/uffd-nginxauth.cfg', 'w').write(cfg)
+EOF
+
 		invoke-rc.d uwsgi restart uffd-nginxauth
 	;;