diff --git a/apps/common/permissions.py b/apps/common/permissions.py
index 72948d4b1..cb6f902ca 100644
--- a/apps/common/permissions.py
+++ b/apps/common/permissions.py
@@ -1,5 +1,6 @@
 # -*- coding: utf-8 -*-
 #
+import hmac
 import time
 
 from django.conf import settings
@@ -48,7 +49,10 @@ class WithBootstrapToken(permissions.BasePermission):
             return False
 
         request_bootstrap_token = authorization.split()[-1]
-        return settings.BOOTSTRAP_TOKEN == request_bootstrap_token
+        return hmac.compare_digest(
+            settings.BOOTSTRAP_TOKEN.encode(),
+            request_bootstrap_token.encode()
+        )
 
 
 class ServiceAccountSignaturePermission(permissions.BasePermission):