diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 0a6e67a98..fd9c77a6a 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -26,12 +26,13 @@ class ApplicationController < ActionController::Base
 
     def authenticate_http_basic
       authenticate_or_request_with_http_basic do |username, password|
-        username == Rails.application.secrets.http_basic_username && password == Rails.application.secrets.http_basic_password
+        username == Tenant.current_secrets.http_basic_username &&
+          password == Tenant.current_secrets.http_basic_password
       end
     end
 
     def http_basic_auth_site?
-      Rails.application.secrets.http_basic_auth
+      Tenant.current_secrets.http_basic_auth
     end
 
     def verify_lock
diff --git a/config/secrets.yml.example b/config/secrets.yml.example
index a66abb40a..c6d29ec3b 100644
--- a/config/secrets.yml.example
+++ b/config/secrets.yml.example
@@ -57,8 +57,8 @@ staging:
     # my_tenant_subdomain:
     #   secret_key: my_secret_value
     #
-    # Currently you can overwrite SMTP, SMS, manager and microsoft API
-    # settings.
+    # Currently you can overwrite SMTP, SMS, manager, microsoft API and
+    # HTTP basic settings.
   <<: *maps
   <<: *apis
 
@@ -93,8 +93,8 @@ preproduction:
     # my_tenant_subdomain:
     #   secret_key: my_secret_value
     #
-    # Currently you can overwrite SMTP, SMS, manager and microsoft API
-    # settings.
+    # Currently you can overwrite SMTP, SMS, manager, microsoft API and
+    # HTTP basic settings.
   twitter_key: ""
   twitter_secret: ""
   facebook_key: ""
@@ -134,8 +134,8 @@ production:
     # my_tenant_subdomain:
     #   secret_key: my_secret_value
     #
-    # Currently you can overwrite SMTP, SMS, manager and microsoft API
-    # settings.
+    # Currently you can overwrite SMTP, SMS, manager, microsoft API and
+    # HTTP basic settings.
   twitter_key: ""
   twitter_secret: ""
   facebook_key: ""