Modern applications often run in multiple environments: local, dev, staging, pre-prod, and prod. Middleware can check for the presence of x-dev-access: yes to conditionally enable:
By tying this header to an internal admin network or a development VPN, teams avoid polluting production logs. x-dev-access yes
Use a reverse proxy or API gateway to strip the X-Dev-Access header from external requests. Then, re-add it only for requests originating from an internal IP range or authenticated service account. By tying this header to an internal admin
Example NGINX rule:
location /api
# Remove any incoming dev header from client
proxy_set_header X-Dev-Access "";
# Add it back only for internal subnets
if ($remote_addr ~* ^(10\.
Post:
🚨 x-dev-access yes is live on staging.
If you’re seeing 4xx where 2xx should be — that’s your cue to check headers, not logic. Let’s smoke test before merge. Post:
🚨 x-dev-access yes is live on staging
Inject dev-only features at runtime based on authenticated user identity, not an HTTP header. A developer logs in with their SSO account, and the feature flag service knows to enable verbose logging for that specific user session.