diff --git a/app/vmagent/main.go b/app/vmagent/main.go
index 19c54e95c7..8593401782 100644
--- a/app/vmagent/main.go
+++ b/app/vmagent/main.go
@@ -347,7 +347,7 @@ func requestHandler(w http.ResponseWriter, r *http.Request) bool {
 		}
 		return true
 	case "/prometheus/config", "/config":
-		if !httpserver.CheckAuthFlag(w, r, configAuthKey, "configAuthKey") {
+		if !httpserver.CheckAuthFlag(w, r, *configAuthKey, "configAuthKey") {
 			return true
 		}
 		promscrapeConfigRequests.Inc()
@@ -356,7 +356,7 @@ func requestHandler(w http.ResponseWriter, r *http.Request) bool {
 		return true
 	case "/prometheus/api/v1/status/config", "/api/v1/status/config":
 		// See https://prometheus.io/docs/prometheus/latest/querying/api/#config
-		if !httpserver.CheckAuthFlag(w, r, configAuthKey, "configAuthKey") {
+		if !httpserver.CheckAuthFlag(w, r, *configAuthKey, "configAuthKey") {
 			return true
 		}
 		promscrapeStatusConfigRequests.Inc()
diff --git a/app/vmauth/main.go b/app/vmauth/main.go
index 2241a5626c..c79173d3e0 100644
--- a/app/vmauth/main.go
+++ b/app/vmauth/main.go
@@ -60,7 +60,7 @@ func main() {
 func requestHandler(w http.ResponseWriter, r *http.Request) bool {
 	switch r.URL.Path {
 	case "/-/reload":
-		if !httpserver.CheckAuthFlag(w, r, reloadAuthKey, "reloadAuthKey") {
+		if !httpserver.CheckAuthFlag(w, r, *reloadAuthKey, "reloadAuthKey") {
 			return true
 		}
 		configReloadRequests.Inc()
diff --git a/app/vmselect/main.go b/app/vmselect/main.go
index b1ed4a5291..bf98ce5e9d 100644
--- a/app/vmselect/main.go
+++ b/app/vmselect/main.go
@@ -237,7 +237,7 @@ func requestHandler(w http.ResponseWriter, r *http.Request) bool {
 
 	path := strings.Replace(r.URL.Path, "//", "/", -1)
 	if path == "/internal/resetRollupResultCache" {
-		if !httpserver.CheckAuthFlag(w, r, resetCacheAuthKey, "resetCacheAuthKey") {
+		if !httpserver.CheckAuthFlag(w, r, *resetCacheAuthKey, "resetCacheAuthKey") {
 			return true
 		}
 		promql.ResetRollupResultCache()
diff --git a/app/vmstorage/main.go b/app/vmstorage/main.go
index 31511dd80b..f9b4ee65b0 100644
--- a/app/vmstorage/main.go
+++ b/app/vmstorage/main.go
@@ -170,7 +170,7 @@ func newRequestHandler(strg *storage.Storage) httpserver.RequestHandler {
 func requestHandler(w http.ResponseWriter, r *http.Request, strg *storage.Storage) bool {
 	path := r.URL.Path
 	if path == "/internal/force_merge" {
-		if !httpserver.CheckAuthFlag(w, r, forceMergeAuthKey, "forceMergeAuthKey") {
+		if !httpserver.CheckAuthFlag(w, r, *forceMergeAuthKey, "forceMergeAuthKey") {
 			return true
 		}
 		// Run force merge in background
@@ -189,7 +189,7 @@ func requestHandler(w http.ResponseWriter, r *http.Request, strg *storage.Storag
 		return true
 	}
 	if path == "/internal/force_flush" {
-		if !httpserver.CheckAuthFlag(w, r, forceFlushAuthKey, "forceFlushAuthKey") {
+		if !httpserver.CheckAuthFlag(w, r, *forceFlushAuthKey, "forceFlushAuthKey") {
 			return true
 		}
 		logger.Infof("flushing storage to make pending data available for reading")
@@ -199,7 +199,7 @@ func requestHandler(w http.ResponseWriter, r *http.Request, strg *storage.Storag
 	if !strings.HasPrefix(path, "/snapshot") {
 		return false
 	}
-	if !httpserver.CheckAuthFlag(w, r, snapshotAuthKey, "snapshotAuthKey") {
+	if !httpserver.CheckAuthFlag(w, r, *snapshotAuthKey, "snapshotAuthKey") {
 		return true
 	}
 	path = path[len("/snapshot"):]
diff --git a/lib/httpserver/httpserver.go b/lib/httpserver/httpserver.go
index a307e2db83..d3aca6d777 100644
--- a/lib/httpserver/httpserver.go
+++ b/lib/httpserver/httpserver.go
@@ -292,7 +292,7 @@ func handlerWrapper(s *server, w http.ResponseWriter, r *http.Request, rh Reques
 		return
 	case "/metrics":
 		metricsRequests.Inc()
-		if !CheckAuthFlag(w, r, metricsAuthKey, "metricsAuthKey") {
+		if !CheckAuthFlag(w, r, *metricsAuthKey, "metricsAuthKey") {
 			return
 		}
 		startTime := time.Now()
@@ -301,7 +301,7 @@ func handlerWrapper(s *server, w http.ResponseWriter, r *http.Request, rh Reques
 		metricsHandlerDuration.UpdateDuration(startTime)
 		return
 	case "/flags":
-		if !CheckAuthFlag(w, r, flagsAuthKey, "flagsAuthKey") {
+		if !CheckAuthFlag(w, r, *flagsAuthKey, "flagsAuthKey") {
 			return
 		}
 		w.Header().Set("Content-Type", "text/plain; charset=utf-8")
@@ -320,7 +320,7 @@ func handlerWrapper(s *server, w http.ResponseWriter, r *http.Request, rh Reques
 	default:
 		if strings.HasPrefix(r.URL.Path, "/debug/pprof/") {
 			pprofRequests.Inc()
-			if !CheckAuthFlag(w, r, pprofAuthKey, "pprofAuthKey") {
+			if !CheckAuthFlag(w, r, *pprofAuthKey, "pprofAuthKey") {
 				return
 			}
 			DisableResponseCompression(w)
@@ -344,16 +344,14 @@ func handlerWrapper(s *server, w http.ResponseWriter, r *http.Request, rh Reques
 // CheckAuthFlag checks whether the given authKey is set and valid
 //
 // Falls back to checkBasicAuth if authKey is not set
-func CheckAuthFlag(w http.ResponseWriter, r *http.Request, flagValue *string, flagName string) bool {
-	if len(*flagValue) == 0 {
+func CheckAuthFlag(w http.ResponseWriter, r *http.Request, flagValue string, flagName string) bool {
+	if flagValue == "" {
 		return CheckBasicAuth(w, r)
 	}
-
-	if r.FormValue("authKey") != *flagValue {
+	if r.FormValue("authKey") != flagValue {
 		http.Error(w, fmt.Sprintf("The provided authKey doesn't match -%s", flagName), http.StatusUnauthorized)
 		return false
 	}
-
 	return true
 }