diff --git a/core/startos/src/developer/mod.rs b/core/startos/src/developer/mod.rs
index 102a30e22..cbbb49e9e 100644
--- a/core/startos/src/developer/mod.rs
+++ b/core/startos/src/developer/mod.rs
@@ -31,7 +31,7 @@ pub async fn write_developer_key(
         secret_key: secret.to_bytes(),
         public_key: Some(PublicKeyBytes(VerifyingKey::from(secret).to_bytes())),
     };
-    let mut file = create_file_mod(path, 0o046).await?;
+    let mut file = create_file_mod(path, 0o640).await?;
     file.write_all(
         keypair_bytes
             .to_pkcs8_pem(base64ct::LineEnding::default())
diff --git a/core/startos/src/middleware/auth.rs b/core/startos/src/middleware/auth.rs
index 01c3eafbc..4fed0fd12 100644
--- a/core/startos/src/middleware/auth.rs
+++ b/core/startos/src/middleware/auth.rs
@@ -43,7 +43,7 @@ pub trait AuthContext: SignatureAuthContext {
     const LOCAL_AUTH_COOKIE_OWNERSHIP: &str;
     fn init_auth_cookie() -> impl Future<Output = Result<(), Error>> + Send {
         async {
-            let mut file = create_file_mod(Self::LOCAL_AUTH_COOKIE_PATH, 0o046).await?;
+            let mut file = create_file_mod(Self::LOCAL_AUTH_COOKIE_PATH, 0o640).await?;
             file.write_all(BASE64.encode(random::<[u8; 32]>()).as_bytes())
                 .await?;
             file.sync_all().await?;