In Case of Emergency, Do Not Break

Feature flagging systems can either fail safe or fail broken when they go down. In a fail-safe system, no updates are made and everything continues to operate as usual, with users seeing no changes after the system comes back up. This is possible because flag states are set and maintained on the client side. In a fail-broken system, user experience may be affected by failed calls, timeouts, or error messages. While there are reasons to use a fail-broken system, most applications benefit from failing safe. Testing failure states is crucial for ensuring an application's expected behavior during unknown-unknown failure scenarios.