Section 33 · API & Security
Feature Flags & Rollouts
Audit guide for feature flag systems, gradual rollouts, A/B testing, and kill switches.
This guide walks you through auditing a project's feature flag system - gradual rollouts, A/B testing capabilities, kill switches, and targeting.
The Goal: Deployments Decoupled from Releases
Ship code anytime, release features when ready. Feature flags give you control over what users see without redeploying.
- Enabled — A feature flag system exists and is actively used (env vars for small projects, dedicated service for larger ones)
- Gradual — Percentage-based rollouts, sticky user assignment, and segment targeting are available
- Kill switches — Critical features (payments, external APIs, new features) can be toggled without a deploy
- Instant — Kill switch toggle time is under 5 minutes, ideally instant via dashboard
- Documented — Runbooks exist for disabling features during incidents
Before You Start
- Identify project scale (small projects can use env vars, larger projects need dedicated service)
- Identify feature flag service (GrowthBook, LaunchDarkly, Unleash, Flagsmith, custom)
- Identify deployment frequency (frequent deploys benefit more from feature flags)
- Check for existing flags (are they actually in use or just installed?)
general
Feature flag system exists (env vars for small projects, GrowthBook for larger) with capabilities for percentage rollouts, A/B testing, sticky assignment, and user segment targeting
“How do you ship to 5% of users without a deploy?”
Critical features have kill switches that can be toggled in < 5 minutes without deploy, with documented procedures and controlled access
“How fast can you disable that new feature if it's melting prod?”