== to compare sensitive hashes leaves you vulnerable to timing attacks. This is because
false as soon as it finds two characters that don’t match. An attacker can make many requests with different values and compare times to figure out how many characters were correct (the shorter the response, the fewer correct characters).
Solution: use a constant-time comparison algorithm.