diff --git a/vigilar/alerts/pin.py b/vigilar/alerts/pin.py
index afd660a..5c046e5 100644
--- a/vigilar/alerts/pin.py
+++ b/vigilar/alerts/pin.py
@@ -1,6 +1,7 @@
 """PIN hashing and verification using PBKDF2-SHA256."""
 
 import hashlib
+import hmac
 import os
 
 
@@ -19,4 +20,4 @@ def verify_pin(pin: str, stored_hash: str) -> bool:
     salt = bytes.fromhex(parts[1])
     expected = parts[2]
     dk = hashlib.pbkdf2_hmac("sha256", pin.encode(), salt, iterations=600_000)
-    return dk.hex() == expected
+    return hmac.compare_digest(dk.hex(), expected)
diff --git a/vigilar/web/blueprints/system.py b/vigilar/web/blueprints/system.py
index 6cc1e3e..1b39529 100644
--- a/vigilar/web/blueprints/system.py
+++ b/vigilar/web/blueprints/system.py
@@ -106,6 +106,7 @@ def get_config_api():
     data.get("system", {}).pop("arm_pin_hash", None)
     data.get("alerts", {}).get("webhook", {}).pop("secret", None)
     data.get("storage", {}).pop("key_file", None)
+    data.pop("security", None)
     return jsonify(data)