diff --git a/roundup/anypy/http_.py b/roundup/anypy/http_.py
index 5858e56e..8975988a 100644
--- a/roundup/anypy/http_.py
+++ b/roundup/anypy/http_.py
@@ -5,3 +5,4 @@
     # Python 2.5-2.7
     import BaseHTTPServer as server  # noqa: F401
     import httplib as client  # noqa: F401
+    client.TOO_MANY_REQUESTS = 429
diff --git a/roundup/cgi/client.py b/roundup/cgi/client.py
index 376c6762..234bb192 100644
--- a/roundup/cgi/client.py
+++ b/roundup/cgi/client.py
@@ -709,9 +709,8 @@ def handle_rest(self):
             return
         except RateLimitExceeded as err:
             output = s2b("%s" % str(err))
-            # PYTHON2:FIXME http_.client.TOO_MANY_REQUESTS missing
-            # python2 so use numeric code.
-            self.reject_request(output, status=429)
+            self.reject_request(output,
+                                status=http_.client.TOO_MANY_REQUESTS)
             return
 
         # verify Origin is allowed on all requests including GET.
@@ -1156,7 +1155,8 @@ def authenticate_bearer_token(self, challenge):
         # If second or later tokens are < 32 chars, the config system
         # stops the tracker from starting so insecure tokens can not
         # be used.
-        if len(self.db.config.WEB_JWT_SECRET[0]) < 32:
+        CHARS_FOR_256_BIT_KEY = 32
+        if len(self.db.config.WEB_JWT_SECRET[0]) < CHARS_FOR_256_BIT_KEY:
             # no support for jwt, this is fine.
             self.setHeader("WWW-Authenticate", "Basic")
             raise LoginError('Support for jwt disabled by admin.')