diff --git a/src/jobservice/api/authenticator.go b/src/jobservice/api/authenticator.go
index cced73415..6c6839502 100644
--- a/src/jobservice/api/authenticator.go
+++ b/src/jobservice/api/authenticator.go
@@ -15,6 +15,7 @@
 package api
 
 import (
+	"crypto/subtle"
 	"errors"
 	"fmt"
 	"net/http"
@@ -66,7 +67,7 @@ func (sa *SecretAuthenticator) DoAuth(req *http.Request) error {
 	}
 
 	expectedSecret := config.GetUIAuthSecret()
-	if expectedSecret != secret {
+	if subtle.ConstantTimeCompare([]byte(expectedSecret), []byte(secret)) == 0 {
 		return errors.New("unauthorized")
 	}
 
diff --git a/src/registryctl/auth/secret.go b/src/registryctl/auth/secret.go
index b9567a690..483359fb9 100644
--- a/src/registryctl/auth/secret.go
+++ b/src/registryctl/auth/secret.go
@@ -15,6 +15,7 @@
 package auth
 
 import (
+	"crypto/subtle"
 	"errors"
 	"net/http"
 	"strings"
@@ -54,7 +55,7 @@ func (s *secretHandler) AuthorizeRequest(req *http.Request) error {
 	secInReq := strings.TrimPrefix(auth, HarborSecret)
 
 	for _, v := range s.secrets {
-		if secInReq == v {
+		if subtle.ConstantTimeCompare([]byte(secInReq), []byte(v)) == 1 {
 			return nil
 		}
 	}