diff --git a/scripts/_common.sh b/scripts/_common.sh
index 4bd9f42..68a8bd2 100644
--- a/scripts/_common.sh
+++ b/scripts/_common.sh
@@ -14,10 +14,10 @@
 
 ynh_local_curl_csrf () {
     # Define url of page to curl
-    local local_page=$1
-    local full_path=$path$local_page
+    local local_page=$(ynh_normalize_url_path $1)
+    local full_path=$path_url$local_page
 
-    if [ "${path}" == "/" ]; then
+    if [ "${path_url}" == "/" ]; then
         full_path=$local_page
     fi
 
@@ -26,12 +26,10 @@ ynh_local_curl_csrf () {
     # Concatenate all other arguments with '&' to prepare POST data
     local POST_data=""
     local arg=""
-    for arg in "${@:2}"
-    do
+    for arg in "${@:2}"; do
         POST_data="${POST_data}${arg}&"
     done
-    if [ -n "$POST_data" ]
-    then
+    if [ -n "$POST_data" ]; then
         # Add --data arg and remove the last character, which is an unecessary '&'
         POST_data="--data ${POST_data::-1}"
     fi
@@ -41,16 +39,28 @@ ynh_local_curl_csrf () {
 
     local cookiefile=/tmp/ynh-$app-cookie.txt
     touch $cookiefile
-    chown $app $cookiefile
+    chown root $cookiefile
     chmod 700 $cookiefile
 
+    # Temporarily enable visitors if needed...
+    local visitors_enabled=$(ynh_permission_has_user "main" "visitors" && echo yes || echo no)
+    if [[ $visitors_enabled == "no" ]]; then
+        ynh_permission_update --permission "main" --add "visitors"
+    fi
+
     # Curl the URL for the CSRF token
-    local code_line=`curl --silent --show-error --insecure --location --header "Host: $domain" --resolve $domain:443:127.0.0.1 "$full_page_url" --cookie-jar $cookiefile --cookie $cookiefile | grep "input name=\"code\""`
+    data=$(curl --silent --show-error --insecure --location --header "Host: $domain" --resolve $domain:443:127.0.0.1 "$full_page_url" --cookie-jar $cookiefile --cookie $cookiefile)
+
+    local code_line=$(echo "$data" | grep "input name=\"code\"")
 
     local code=${code_line:40:53}
-	POST_data="${POST_data}&code=${code}"
+    POST_data="${POST_data}&code=${code}"
 
     curl --silent --show-error --insecure --location --header "Host: $domain" --resolve $domain:443:127.0.0.1 $POST_data "$full_page_url" --cookie-jar $cookiefile --cookie $cookiefile
+
+    if [[ $visitors_enabled == "no" ]]; then
+        ynh_permission_update --permission "main" --remove "visitors"
+    fi
 }
 
 #Convert --data to --data-urlencode before ynh_local_curl
diff --git a/scripts/install b/scripts/install
index 6033e35..e9de9e2 100755
--- a/scripts/install
+++ b/scripts/install
@@ -68,7 +68,7 @@ admin_temp_pass=$(ynh_string_random --length=10)
 
 ynh_local_curl "/index.php?qa=install" "create=Set+up+the+Database+including+User+Management"
 ynh_local_curl "/index.php?qa=install" "handle=$admin" "password=$admin_temp_pass" "email=$admin_email" "super=Set+up+the+Super+Administrator"
-ynh_local_curl "/index.php?qa=admin&qa_1=general" \
+ynh_local_curl_csrf "/index.php?qa=admin&qa_1=general" \
     "$(myynh_urlencode "option_site_title=$q2a_name")" \
     "$(myynh_urlencode "option_site_url=https://$domain$path")" \
     "option_neat_urls=0" \