Client Boot Flags

Feature Flag App

The app starts with unsafe feature flags in the browser, enabling admin affordances and auth bypass logic before any server confirmation exists.

CWE-602CWE-306
Back to hub Reload scenario
Runtime flags

Expected Findings

  • Admin and bypass flags are client-side and default-enabled.

Primary Flows

  • UI config Feature flag JSON returned to the browser

Signals

Flags
window.FEATURE_FLAGS = { enableAdmin: true, bypassAuth: true }
Developed by vibe-eval.com for validation and testing purposes only.