diff --git a/core/src/main/java/hudson/security/csrf/DefaultCrumbIssuer.java b/core/src/main/java/hudson/security/csrf/DefaultCrumbIssuer.java
index 3db25892ab63425c22ec8476dc256bccc7488cb6..5e59ab1d6e04259c6b721096ba2a39942dce8fc5 100644
--- a/core/src/main/java/hudson/security/csrf/DefaultCrumbIssuer.java
+++ b/core/src/main/java/hudson/security/csrf/DefaultCrumbIssuer.java
@@ -95,6 +95,7 @@ public class DefaultCrumbIssuer extends CrumbIssuer {
         if (request instanceof HttpServletRequest) {
             String newCrumb = issueCrumb(request, salt);
             if ((newCrumb != null) && (crumb != null)) {
+                // String.equals() is not constant-time, but this is
                 return MessageDigest.isEqual(newCrumb.getBytes(), crumb.getBytes());
             }
         }