diff --git a/fusion-endpoint/src/main/java/com/vaadin/flow/server/connect/auth/VaadinConnectAccessChecker.java b/fusion-endpoint/src/main/java/com/vaadin/flow/server/connect/auth/VaadinConnectAccessChecker.java
index 02e33458344..a606723b5dc 100644
--- a/fusion-endpoint/src/main/java/com/vaadin/flow/server/connect/auth/VaadinConnectAccessChecker.java
+++ b/fusion-endpoint/src/main/java/com/vaadin/flow/server/connect/auth/VaadinConnectAccessChecker.java
@@ -24,6 +24,8 @@
 import java.lang.reflect.AnnotatedElement;
 import java.lang.reflect.Method;
 import java.lang.reflect.Modifier;
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -158,7 +160,10 @@ private boolean requestForbidden(HttpServletRequest request) {
             return true;
         }
 
-        if (!csrfTokenInSession.equals(request.getHeader("X-CSRF-Token"))) {
+        String csrfTokenInRequest = request.getHeader("X-CSRF-Token");
+        if (csrfTokenInRequest == null || !MessageDigest.isEqual(
+                csrfTokenInSession.getBytes(StandardCharsets.UTF_8), 
+                csrfTokenInRequest.getBytes(StandardCharsets.UTF_8))) {
             if (getLogger().isInfoEnabled()) {
                 getLogger().info("Invalid CSRF token in endpoint request");
             }