diff --git a/csrf/app.js b/csrf/app.js
index b8beeac..945c67e 100644
--- a/csrf/app.js
+++ b/csrf/app.js
@@ -3,6 +3,7 @@ const koaBody = require('koa-body');
 const session = require('koa-session');
 const CSRF = require('koa-csrf');
 const router = require('koa-router')();
+const Keygrip = require('keygrip');
 
 const app = module.exports = new Koa();
 
@@ -10,7 +11,7 @@ const app = module.exports = new Koa();
  * csrf need session
  */
 
-app.keys = ['session key', 'csrf example'];
+app.keys = new Keygrip(['insert 64 bytes random string', 'insert another 64 bytes random string'], 'sha512');
 app.use(session(app));
 app.use(koaBody());
 
diff --git a/flash-messages/app.js b/flash-messages/app.js
index 5ff0fde..9445b3b 100644
--- a/flash-messages/app.js
+++ b/flash-messages/app.js
@@ -6,11 +6,12 @@
 const Koa = require('koa');
 const rawBody = require('raw-body');
 const session = require('koa-session');
+const Keygrip = require('keygrip');
 
 const app = module.exports = new Koa();
 
 // required for signed cookie sessions
-app.keys = ['key1', 'key2'];
+app.keys = new Keygrip(['insert 64 bytes random string', 'insert another 64 bytes random string'], 'sha512');
 app.use(session(app));
 
 app.use(async function(ctx, next) {