What are feature flags in software development?

Feature flags (also called feature toggles) are conditional code paths that let teams deploy code to production while controlling who sees a feature. Instead of keeping code in long-running branches, features are wrapped in flag checks and released as dark code — invisible until you choose to enable them. This separates deployment (pushing code) from release (making it visible), giving teams precise control over rollout without additional deployments.

What is a percentage rollout in feature flags?

A percentage rollout gradually exposes a feature to an increasing fraction of users — for example, 5% in week one, then 25%, then 100%. To prevent the same user from randomly flipping between old and new experiences across sessions, rollout systems use consistent hashing: the user ID and flag key are hashed to a stable bucket between 0 and 99. A user always falls in the same bucket, so their flag state never changes mid-session.

When should I delete a feature flag?

A release flag should be deleted as soon as the feature reaches 100% rollout — typically within two to six weeks of initial deployment. Flags left in code create technical debt and, as the Knight Capital incident demonstrated, can activate broken code paths years later. Every flag needs a documented owner and an expiry date. A naming convention like ff_2025_q2_feature_name makes the creation period visible at a glance.

What is the difference between a release flag and a permission flag?

A release flag is temporary — it hides an incomplete or unvalidated feature during development and is deleted once the feature is fully live. A permission flag is permanent — it gates access based on user attributes like subscription plan or role. Release flags are cleaned up after weeks; permission flags live indefinitely as part of your entitlement system. Mixing the two without clear naming conventions is a common cause of flag sprawl.

Should feature flags be evaluated on the frontend or the backend?

Both. Frontend-only flag evaluation is a security risk — users can inspect JavaScript bundles to find and enable hidden features. Every flag must also be evaluated server-side to gate the API endpoints the feature uses. A UI button hidden by a flag but backed by an API that still responds is not a hidden feature — it is an unauthorised endpoint. Always enforce flags at both the UI layer and the API layer.

Feature Flags: Targeting, Rollouts, and Cleanup

Infoveave Engineering Team·May 2026·Updated May 2026·8 min read

What you will learn: What feature flags are, the four types, how to target them to specific users and regions, how to keep them clean, and when to build vs buy.

The Friday Problem

Every developer knows this feeling. It is 5 PM on a Friday. Your code is reviewed, merged, and the pipeline is green. But nobody deploys on Friday — because if something breaks, you are fixing it at 2 AM.

Feature flags are the engineering answer to this fear.

The core idea: deploy your code to production, but control who sees it. The code is live. The feature stays invisible until you decide to turn it on — for whoever you choose.

csharp

public IActionResult GetDashboard()
{
    if (_flags.IsEnabled("new_dashboard", userId))
        return View("NewDashboard");

    return View("OldDashboard");
}

The Four Types of Feature Flags

Not all flags are the same. Mixing them up is how teams end up with a mess.

Type	What It Does	Lifetime
Release Flag	Hides an incomplete feature while you build it. Delete once fully live.	Days to weeks
Experiment Flag	A/B testing. Route 50% to old, 50% to new. Measure. Winner survives.	Duration of experiment
Ops Flag	Kill switch. Turn off a heavy feature instantly if it hurts your DB. No deployment needed.	Permanent, rarely toggled
Permission Flag	Free users see basic export. Pro users see advanced export. Cleaner than hardcoded role checks.	Permanent

How Targeting Works — The Context Object

Every flag evaluation takes a context object — a bundle of information about the current user that the flag engine uses to make its decision.

csharp

var context = new EvaluationContext
{
    UserId  = "user_9821",
    Plan    = "enterprise",
    Region  = "South India",
    City    = "Bengaluru",
    Country = "IN",
    Company = "Infoveave",
    Role    = "admin",
    Custom  = new Dictionary<string, string>
    {
        { "accountAge", "18months" }
    }
};

bool showFeature = _flags.IsEnabled("new_report_builder", context);

You pass this context on every flag call. The engine compares it against your targeting rules and returns true or false.

Targeting Rules — Who Sees What and Why

By User ID

Good for internal testing — turn it on for your own account first.

userId IS IN ["user_001", "user_002"]

By Region or City

Test a new checkout flow in Karnataka before rolling out across India.

region IS IN ["Karnataka", "Maharashtra"]

By Customer Plan

Advanced export should only be visible to Pro and Enterprise customers.

plan IS IN ["pro", "enterprise"]

By Company

In B2B products, enable for one client before everyone else sees it.

company IS IN ["Infoveave", "TataConsultancy"]

Combining Rules

Rules can use AND / OR logic for surgical precision.

plan IS "enterprise"
  AND region IS "South India"
  AND role IS "admin"
→ Only enterprise admins from South India see this feature

Percentage Rollouts — Gradual Exposure

When you do not want to target specific attributes but want to slowly open the feature, use a percentage rollout with consistent hashing:

csharp

public bool IsInRollout(string userId, string flagKey, int percentage)
{
    string input = $"{userId}:{flagKey}";
    using var md5 = MD5.Create();
    byte[] hash  = md5.ComputeHash(Encoding.UTF8.GetBytes(input));
    int bucket   = Math.Abs(BitConverter.ToInt32(hash, 0)) % 100;
    return bucket < percentage;
}

Same userId + flagKey always produces the same hash — so the same user never randomly flips between old and new experiences across sessions.

A realistic rollout ladder:

Phase	Rule	Who Sees It
Week 1	`userId IN [your team]`	Just your dev and QA team
Week 2	`company IS "BetaClient"`	One trusted client
Week 3	`plan IS "enterprise" AND region IS "South India"`	Enterprise users, South India only
Week 4	`plan IS "enterprise"` + 50% rollout	Half of all enterprise users
Week 5	`plan IS "enterprise"`	All enterprise users
Week 6	100% rollout	Everyone — then delete the flag

Dual Evaluation — Frontend and Backend

Never check flags only in React. A user can inspect your JS bundle and enable hidden features. Always evaluate on both layers.

csharp

// .NET — evaluate on the server, send decisions to frontend
var features = new {
    newReportBuilder = _flags.IsEnabled("new_report_builder", userId),
    advancedExport   = _flags.IsEnabled("advanced_export", userId)
};

tsx

// React — consume via context hook
const ReportPage = () => {
    const hasNewBuilder = useFeature("newReportBuilder");
    return hasNewBuilder ? <NewReportBuilder /> : <OldReportBuilder />;
};

csharp

// API — gate the endpoint too, not just the UI
[HttpPost("report/advanced")]
public IActionResult GenerateAdvancedReport()
{
    if (!_flags.IsEnabled("advanced_export", GetUserId()))
        return Forbid();
}

A hidden UI button is a UX decision. A hidden API endpoint that still responds is a security hole.

Flag Ownership and Expiry — The Rule Nobody Follows

In August 2012, Knight Capital deployed new software to eight of nine servers. The ninth had a stale, forgotten feature flag that activated a broken trading algorithm. It ran for 45 minutes. They lost $440 million — roughly ₹3,700 crore. The company was sold within days. (SEC Administrative Proceeding, 2013)

The flag was not the bug. The forgotten flag was the bug.

Every flag you create must have three things:

An owner — who is responsible for cleaning it up
A creation date — when was it added
An expiry date — after which it must be reviewed or deleted

Use a naming convention like ff_2025_q2_new_report_builder. In 18 months, this tells you exactly when it was created and what it controls. A name like newReportBuilder tells you nothing.

Performance Considerations

1. Caching Flag Evaluations

If you evaluate the same flag multiple times in a single request, you get unnecessary repeated computation or network calls:

csharp

// Avoid — called twice
_flags.IsEnabled("new_dashboard", userId);
_flags.IsEnabled("new_dashboard", userId);

Cache the result per request instead:

csharp

var featureCache = new Dictionary<string, bool>();

bool IsEnabledCached(string key, string userId)
{
    if (!featureCache.ContainsKey(key))
        featureCache[key] = _flags.IsEnabled(key, userId);

    return featureCache[key];
}

2. Batching Evaluations

Instead of calling the flag service once per flag:

csharp

// Avoid — three round trips
var a = _flags.IsEnabled("A", userId);
var b = _flags.IsEnabled("B", userId);
var c = _flags.IsEnabled("C", userId);

Fetch all flags in one call:

csharp

// Prefer — one round trip
var features = _flags.GetAll(userId);
features["A"];
features["B"];
features["C"];

Batching reduces network calls, improves response time, and keeps the flag service from becoming a bottleneck under load.

Build vs Buy

Option	Best For	Cost
Roll your own	Release and permission flags only. Small teams.	Free — dev time
Unleash	Open source, self-hosted. Solid .NET SDK.	Free (self-hosted)
PostHog	Flags + A/B testing + session recordings.	Generous free tier
LaunchDarkly	Industry gold standard. Full targeting, audit logs.	Paid

If you only need release and permission flags — roll your own or use Unleash. If you need A/B experiments with metric tracking — use a managed service.

The Key Takeaway

A feature flag is not just an on/off switch. It is a targeting engine that asks one question at runtime:

"Given everything I know about this user — their plan, region, role, company — should they see this feature right now?"

Start with userId for internal testing. Add plan for plan-based access. Add region for geographic rollouts. Combine them for precision. Set expiry dates so you are not the next Knight Capital story.

Deploy continuously. Release deliberately. Clean up always.

How We Use This at Infoveave

Infoveave is a multi-tenant platform where different customers are on different subscription tiers. Feature flags are how we control which platform capabilities are visible per plan — a customer on the standard tier should not see the Fovea AI query builder if they haven't licensed it, and that gate needs to exist at both the UI and the API layer. We also use release flags when shipping major new features — the code ships dark, we enable it for internal users first, validate it on real data, then roll it out by plan tier. The Knight Capital story in this article is one we reference in internal engineering reviews. Stale flags with no owner are a category of technical debt we actively track and retire on a schedule.

About the Authors

This article was written by the Infoveave Engineering Team — building Unified Data Platform, agentic BI, and enterprise analytics infrastructure. Infoveave (by Noesys Software) helps organisations unify data, automate business processes, and act faster with AI-powered insights.

Visit infoveave.com Follow us on LinkedIn