diff --git a/src/ShopifyApp/Http/Middleware/AuthProxy.php b/src/ShopifyApp/Http/Middleware/AuthProxy.php
index 5fd523cc..9c39c962 100644
--- a/src/ShopifyApp/Http/Middleware/AuthProxy.php
+++ b/src/ShopifyApp/Http/Middleware/AuthProxy.php
@@ -63,7 +63,7 @@ public function handle(Request $request, Closure $next)
             ],
             getShopifyConfig('api_secret', $shop)
         );
-        if ($signature !== $signatureLocal || $shop->isNull()) {
+        if (hash_equals($signature, $signatureLocal) === false || $shop->isNull()) {
             // Issue with HMAC or missing shop header
             return Response::make('Invalid proxy signature.', 401);
         }
diff --git a/src/ShopifyApp/Http/Middleware/AuthToken.php b/src/ShopifyApp/Http/Middleware/AuthToken.php
index 4df6d0a3..e5a584b8 100644
--- a/src/ShopifyApp/Http/Middleware/AuthToken.php
+++ b/src/ShopifyApp/Http/Middleware/AuthToken.php
@@ -127,6 +127,6 @@ private function checkSignature($token)
         $hmac = hash_hmac('sha256', $check, $secret, true);
         $encoded = base64url_encode($hmac);
 
-        return $encoded === $signature;
+        return hash_equals($encoded, $signature);
     }
 }
diff --git a/src/ShopifyApp/Http/Middleware/AuthWebhook.php b/src/ShopifyApp/Http/Middleware/AuthWebhook.php
index 74a412d2..b710db5b 100644
--- a/src/ShopifyApp/Http/Middleware/AuthWebhook.php
+++ b/src/ShopifyApp/Http/Middleware/AuthWebhook.php
@@ -35,7 +35,7 @@ public function handle(Request $request, Closure $next)
             getShopifyConfig('api_secret', $shop)
         );
 
-        if (! hash_equals($hmac, $hmacLocal) || empty($shop)) {
+        if (hash_equals($hmac, $hmacLocal) === false || empty($shop)) {
             // Issue with HMAC or missing shop header
             return Response::make('Invalid webhook signature.', 401);
         }