Security: disable feature flag at client-side #4462

adisutanto · 2023-08-10T03:10:55Z

adisutanto
Aug 10, 2023

Security: The proxy evaluates the features for the user on the server-side and by default only exposes results for features that are enabled for the specific user. No feature toggle configuration is ever shared with the user.

What if the API response to client-side is intercepted and modified to feature disabled?
Would an attacker be able to disable an enabled feature?
Is this a security vulnerability?

Answered by daveleek

Aug 10, 2023

Hello @adisutanto!

What if the API response to client-side is intercepted and modified to feature disabled?
Would an attacker be able to disable an enabled feature?

Yes, but you should be using SSL for the traffic, also between Unleash and your internal services, along with allowing proper certificate chain validation. That's the typical way of dealing with potential MITM attacks

View full answer

daveleek · 2023-08-10T09:40:50Z

daveleek
Aug 10, 2023
Maintainer

Hello @adisutanto!

What if the API response to client-side is intercepted and modified to feature disabled?
Would an attacker be able to disable an enabled feature?

Yes, but you should be using SSL for the traffic, also between Unleash and your internal services, along with allowing proper certificate chain validation. That's the typical way of dealing with potential MITM attacks

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Unleash

Security: disable feature flag at client-side #4462

{{title}}

Replies: 1 comment

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

Unleash

Security: disable feature flag at client-side #4462

adisutanto Aug 10, 2023

Replies: 1 comment

daveleek Aug 10, 2023 Maintainer

adisutanto
Aug 10, 2023

daveleek
Aug 10, 2023
Maintainer