tiny-feature-flags is a runtime feature flag evaluation library. While designed to be safe by default, its security depends on how it is used in applications.
- Always load flags from trusted, HTTPS sources.
- Do not expose flags that control sensitive logic to untrusted clients.
- Avoid putting any secrets or credentials in flag definitions or traits.
- Ensure
userIdand other traits are validated and sanitized before use. - Do not rely on
rolloutfor access control or entitlements.
If you discover a security issue, please do not open a GitHub issue. Instead, contact:
We will respond promptly and handle disclosures responsibly.