Open in app

Sign in

Write

Sign in

A Developer’s Guide to Implementing Feature Flags Securely

Boemo Mmopelwa
5 min readJun 27, 2024

--

Choosing a third-party feature flag platform to manage your feature flags is better than creating and managing in-house feature flags. However, it is important to acknowledge the processes needed to secure the implementation of feature flags managed by a third-party platform.

For example, to access an API or a feature flag platform you need secrets which can be an API key or a token. These secrets have to be used when implementing feature flags both on client-facing side and server side. How you add these secrets to your code is what matters the most. Secrets should not be hardcoded. Hardcoded secrets can be retrieved during a cyber breach. Secrets aren’t the only thing that has to be implemented securely. There are other security factors that have to be considered when integrating feature flags into your application.

In this article, you will learn different aspects of code that have to be prioritized when implementing feature flags in your application.

How to Handle Secrets Properly

Hardcoded secrets are credentials that have been embedded in the application code or exposed to the public in the codebase. Anyone who has access to the code can see the secrets; this creates an issue where unauthorized users can view API keys. Below are examples of hardcoded secrets:

const apiKey = 55676;
const tokenID = 6677330964545;

Mishandling Unleash API keys and tokens gives malicious users an opportunity to take over your feature flags. Feature flags have to be used appropriately to avoid causing any issue that inflicts damage to application services.

It is also important not to ship any code that has API keys to code hosting platforms like GitHub and Bitbucket. Unleash offers several secrets that you can use to authenticate and integrate your feature flags into your application. Below are examples of keys and tokens Unleash uses:

  1. Client keys are used for integrating the server-side and the Unleash proxy.
  2. Personal access tokens are used for access to the Unleash platform.
  3. Proxy client keys for integrating client proxy with Unleash proxy.

The Unleash feature flag platform provides you with observability over shared tokens. The platform gives you a list of all the shared API access tokens and you will be able to delete any access token that is no longer needed or the user is no longer authorized. Deleting an API token instantly cuts off access to that designated API.

A secure way of using secrets in your codebase is to create a .env file and add the secrets:

API_KEY = "Your API Key"
Token_ID= "Your Secret Key"

The secrets can be retrieved by creating a variable that is assigned to the secrets stored in the .env file. You have to specify the name of the secret you are trying to retrieve. This method differs across different languages and frameworks.

const API_KEY = process.env.API_KEY

Running Feature Flag State Unit Tests

Deploying feature flags that have been unit-tested gives you reassurance that everything will function as expected. Unit tests are imperative for checking if a feature flag functions as expected when switched off or on. Unit tests do so by enabling you to simulate the two states of the feature flag.

Without proper testing, feature flags can lead to technical debt, as poorly implemented flags might cause hidden bugs or performance issues. A new feature flag accidentally misconfigured for certain users could break existing functionality, leading to crashes or data corruption. Regular unit testing helps in identifying and addressing such problems early in the development cycle.

Enforcing Good Communication and HTTPS

We always have to keep in mind that someone will review and execute our code. Therefore, it is important to ensure that we follow coding best practices to boost communication and security. Failing to communicate through comments makes it difficult for co-developers and reviewers to understand and debug the application.

Poor documentation slows down development and increases technical debt. For example, a team might introduce feature flags haphazardly without documentation leading to confusion and errors among developers.

Writing Comments

It is important to explain the full function of the feature flag in the comments and also the consequences of switching on/off a feature flag. Comments make it easy for code reviewers to understand feature flags during the coding review procedure. Document the purpose, usage, and status of each feature flag. This should include information on how and when the flag can be safely removed.

Naming Conventions

Feature flags have to be given descriptive names for easy understanding. The person who does not know the feature flag has to be able to comprehend the purpose of a feature flag when reading the feature flag name.

The following feature flag name is a good example because it explains what the feature flag does exactly. Any developer who does not know the feature flag will understand that when the feature flag is on the metrics dashboard will be enabled:

is_feature_enabled('enable_metrics_dashboard')

The feature flag below is a bad example, any developer wouldn’t understand the purpose of the feature flag. Giving feature flags short and unspecific names is detrimental because confusion will strike when the code writer forgets what the feature flag does exactly:

is_feature_enabled('flag1')

Protecting HTTP Requests

Not protecting HTTP requests related to feature flags can leave an application vulnerable to various attacks. For example, a lack of input validation or secure protocols could result in Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and injection attacks. Using HTTPS protects your payload from being intercepted and corrupted when in transmission. Unleash provides you with HTTPS request templates for your feature flag integration with your application. You can copy the templates and modify the contents of the request. It is advisable to use these templates because they are HTTPS-secured.

curl - location - request PUT 'https://eu.app.unleash-hosted.com/eugg0002/api/admin/projects/default' \
 - header 'Authorization: INSERT_API_KEY' \
 - header 'Content-Type: application/json' \
 - data-raw '{
 "id": "default",
 "name": "Default",
 "description": "Default project",
 "defaultStickiness": "default",
 "featureLimit": null
}'

Besides using the Unleash templates it is important to implement the following security practices:

  • Rotating API keys: API keys used in HTTP requests have to be changed or rotated. API keys can be accidentally exposed and stolen without the owner knowing for a long period. Rotating API keys makes lost API keys and tokens useless. This saves you from data breaches.
  • Log API requests: Logging helps in monitoring, debugging, and auditing API usage. It is also crucial for detecting suspicious activities and understanding application behavior. You can use tools such as Datadog and Prometheus for monitoring API calls.

Conclusion

Implementing feature flags securely is crucial for maintaining the integrity and security of your applications. By following best practices for handling secrets, conducting thorough unit tests, and protecting HTTP requests, you can ensure a robust and secure feature flag implementation. Leveraging third-party feature flag platforms such as Unleash can significantly ease the management process, but security should always be a top priority when implementing feature flags.

DevOps
Unleash
Feature Flags

--

--

Boemo Mmopelwa
Boemo Mmopelwa

Written by Boemo Mmopelwa

82 Followers
239 Following

Android developer| Tech Enthusiast|Innovative thinking is my passion | Learn and experience more to discover more

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams