diff --git a/src/crypto/crypto_hkdf.cc b/src/crypto/crypto_hkdf.cc
index 43bf8a93505bb7..7663dd69374db7 100644
--- a/src/crypto/crypto_hkdf.cc
+++ b/src/crypto/crypto_hkdf.cc
@@ -87,6 +87,10 @@ Maybe<bool> HKDFTraits::AdditionalConfig(
       : info.ToByteSource();
 
   params->length = args[offset + 4].As<Uint32>()->Value();
+  // HKDF-Expand computes up to 255 HMAC blocks, each having as many bits as the
+  // output of the hash function. 255 is a hard limit because HKDF appends an
+  // 8-bit counter to each HMAC'd message, starting at 1.
+  constexpr size_t kMaxDigestMultiplier = 255;
   size_t max_length = EVP_MD_size(params->digest) * kMaxDigestMultiplier;
   if (params->length > max_length) {
     THROW_ERR_CRYPTO_INVALID_KEYLEN(env);
diff --git a/src/crypto/crypto_hkdf.h b/src/crypto/crypto_hkdf.h
index ef2d03c2091595..c4a537cef8a792 100644
--- a/src/crypto/crypto_hkdf.h
+++ b/src/crypto/crypto_hkdf.h
@@ -11,8 +11,6 @@
 
 namespace node {
 namespace crypto {
-static constexpr size_t kMaxDigestMultiplier = 255;
-
 struct HKDFConfig final : public MemoryRetainer {
   CryptoJobMode mode;
   size_t length;