← Back to Backend Reliability

Backend Reliability

Use Feature Flags to Degrade Gracefully Instead of Hard Failing

7 min read

Feature flags let you ship code dark, roll out gradually, and disable a broken feature instantly without a deploy.

Rule

Use feature flags to control rollout and degrade non-critical features gracefully.

Why

Hard-coded on/off states require a deploy to fix an incident. Feature flags allow instant response.

Must

  • Default every new feature flag to off (ship dark first).
  • Name flags with a clear context and owner (feature_chat_streaming_v2).
  • Define a kill switch that disables a feature globally within seconds.
  • Remove flags for features that have been fully rolled out for more than one release cycle.

Should

  • Support percentage-based rollout for gradual release.
  • Degrade the UI gracefully when a flag-gated feature is off.

Anti-patterns

  • Leaving dead feature flags accumulating in code.
  • Hardcoding user IDs in flag overrides for production traffic.
  • No graceful fallback when the flag service is unavailable.

Test Cases

  • Flag service unreachable defaults to off.
  • Kill switch disables feature without restart.

Telemetry

  • feature_flag_evaluated (flag, result, user_cohort)
  • feature_flag_killed
  • flag_service_fallback_used