Secure Sidekiq with BasicAuth

I am using Sidekiq for background processing for my website Every Podcast. One of the background jobs is loading new episodes from known feeds. Because this relies on external resources, many things that are out of my control can go wrong. To isolate the individual fetch and potential errors, I automatically create a job for every single podcast update. This obviously leads to a lot of jobs. Sidekiq comes with a UI that allows me to monitor the job queue, find dead jobs and see the throughput. While looking on how to secure the backend interface I found many articles, also from the developers themselves, that recommend using the authentication framework Devise. I didn’t want to introduce a whole framework for a single use case, especially considering that there are currently no user accounts supported. Instead, something like Basic Auth is enough for my use case. I came across this Stackoverflow post which suggested a solution similar to the one shown below. I added a default username and password if they’re not set to allow for easier local testing. In a production environment those values are coming from environment variables.

Sidekiq::Web.use(Rack::Auth::Basic) do |user, password|
  # Protect against timing attacks:
  # - See https://codahale.com/a-lesson-in-timing-attacks/
  # - See https://thisdata.com/blog/timing-attacks-against-string-comparison/
  # - Use & (do not use &&) so that it doesn't short circuit.
  # - Use digests to stop length information leaking
  Rack::Utils.secure_compare(::Digest::SHA256.hexdigest(user),
                             ::Digest::SHA256.hexdigest(ENV['SIDEKIQ_USER'] || 'admin')) &
    Rack::Utils.secure_compare(::Digest::SHA256.hexdigest(password), ::Digest::SHA256.hexdigest(ENV['SIDEKIQ_PASSWORD'] || 'password'))
end