Cloudflare Flagship
133 points
by tjek
5 hours ago
| 19 comments
| developers.cloudflare.com
| HN
crabmusket
3 hours ago
[-]
Looking at the docs for their JS SDK, they have this warning:

> The client provider requires an API token to fetch flag values. This token is not scoped to a single app, so anyone with the token can evaluate flags across all apps in your account. Use the client provider with caution in public-facing applications.

https://developers.cloudflare.com/flagship/sdk/client-provid...

Can anyone clarify... why the client SDK, designed to be deployed to browsers, requires caution? Does this mean that any client could send requests with a new targetingKey and observe other users' flags?

While flags probably shouldn't be critical information, this seems like an interesting design choice.

reply
OptionOfT
3 hours ago
[-]
Let's think about it. This is probably something used internally at CloudFlare and someone thought I'd be interesting to make it public.

There is no way 6 months ago someone at CloudFlare thought it was a good idea to build a competitor to say LaunchDarkly.

reply
jasonjmcghee
2 hours ago
[-]
Hmm not sure I necessarily agree. Cloudflare's strategy has been looking like "the only platform you need" for a while now.

Their recent features / announcements have been equivalent to:

(LaunchDarkly)

Resend, Firecrawl, CrewAI, Helicone, Replicate, Pinecone

-

Which like… many companies have a painful procurement process. If all you need is Cloudflare, and prices are within reason- why not use them

reply
gowthamgts12
29 minutes ago
[-]
Their quality of the products they ship have already became shitty for quite a while now.
reply
stingraycharles
55 minutes ago
[-]
Don’t forget they now also have an OpenRouter alternative.
reply
bg24
2 hours ago
[-]
Both Cloudflare and Vercel have feature parity. Flags is a feature already in Vercel. While customer-first is a thing, it is also a no-brainer to start with: we use it, Vercel has it, let us build it.
reply
roerohan
58 minutes ago
[-]
https://blog.cloudflare.com/flagship

Here's why we built it!

reply
Hamuko
42 minutes ago
[-]
>Agentic coding tools like OpenCode and Claude Code are shipping entire features in minutes.

How many minutes do I need to wait until app-scoped tokens are live?

reply
wahnfrieden
3 hours ago
[-]
Care to share why
reply
jjcm
2 hours ago
[-]
Jane Wong salivating reading this
reply
roerohan
1 hour ago
[-]
Hi! One of the engineers from the Flagship team here, app-scoped tokens are WIP.
reply
stingraycharles
56 minutes ago
[-]
That sounds like the product is not finished and should not be released?
reply
ai_fry_ur_brain
23 minutes ago
[-]
This has been the Cloudflare standard operating procedure for the last year or so. Non stop shipping alpha/beta products.
reply
yuretz
37 minutes ago
[-]
Is it perhaps available behind a flag somewhere?
reply
Craighead
55 minutes ago
[-]
Then it's not finished?
reply
btown
2 hours ago
[-]
Never underestimate the power of a zero-network-hop abstraction over f(feature_name, context).

And context can be extremely tailored to your niche: specific inventory, from a specific supplier, for a specific user of a specific B2B client of a specific business model subtype, who should or shouldn’t see certain features on that specific inventory at certain times.

When you can write your own logic, and just run this in a tight loop as easily and performantly as you can use a constant, it makes your business incredibly agile. Think some text might change for some customers? Just write the code to make it configurable, and you get tests and flags for free.

Sadly, that zero-hop setup requires a sophisticated client execution engine, which it doesn’t appear Cloudflare has implemented here. Makes sense for their memory constrained workers, less sense for traditional infrastructure.

Statsig has an approach here that I quite like:

> To be able to do this, Server SDKs hold the entire ruleset of your project in memory - a representation of each gate or experiment in JSON. On client SDKs, we evaluate all of the gates/experiments when you call initialize - on our servers.

https://docs.statsig.com/sdks/how-evaluation-works

You can also roll your own - just sync your rulesets to a few data structures every few seconds in a background thread and atomically swap the reference to them. Then you just need a CRUD interface over the applicability ruleset dimensions.

Just be careful to have governance on who can play with which would-be constants. Great power and great responsibility and all that!

reply
chrisweekly
1 hour ago
[-]
Good advice. I'll add a protip / reminder that feature flags, AB tests, and entitlements are three distinct concepts. This blog post (no affiliation) has framing I found helpful:

https://www.stigg.io/blog-posts/entitlements-untangled-the-m...

reply
tiffanyh
3 hours ago
[-]
This is nice, but I’m still waiting for this to be delivered (which ironically is probably using Flagship):

https://blog.cloudflare.com/enterprise-grade-features-for-al...

—-

I don’t believe a single enterprise only feature has made its way to lower tier (paid) account yet.

I’m most interested in:

https://developers.cloudflare.com/speed/optimization/content...

reply
7thpower
3 hours ago
[-]
Yes, this! I am dying for need of zerotrust enterprise features and am about to have to actually talk to one of the enterprise sales folks, which will chew up a bunch of time and add stress I’d rather avoid.
reply
tiffanyh
3 hours ago
[-]
I don’t think zero trust will be anytime soon, based on this post:

https://community.cloudflare.com/t/making-enterprise-product...

reply
elamje
2 hours ago
[-]
I’m always excited when Cloudflare starts offering things that I had to use other providers for because I know it will be solid.

We used Statsig at Function. It started out as 2 of us using it on one product and within 12 months, large amounts of our product copy and rollouts were driven off of it.

Statsig has client side evals so you can write rules and rollouts based on internal concepts without Statsig’s servers processing a piece of user data. Hoping Cloudflare can build a sophisticated product here so I don’t have use another product in the future!

reply
w-ll
1 hour ago
[-]
you use a 3rd party for feature flags? im not "roll my own" for everything but feature flags have not been an issue to roll
reply
willsmith72
1 hour ago
[-]
There's feature flags then there's staged rollouts gated by multiple variables with statistical analysis
reply
aetherspawn
4 hours ago
[-]
Cloudflare are winning these days, they’re just lacking good fine grained permissions. You still have to make an entirely separate account for prod, which messes up SSO since one domain can only be bound to one account.
reply
corvad
3 hours ago
[-]
Their products are cool and I've been happy with them over the years, but their blog right now has had some blunders recently. Also their reliability seems to have been having trouble but does seem better recently.
reply
willsmith72
1 hour ago
[-]
Yep I made the switch a couple of years ago for all of my projects and never looked back. Workers, D1, R2, queues, containers, KV

Still using AWS for email sending so that will be great when it comes

reply
corvad
1 hour ago
[-]
It already came if you use workers I believe, still in beta though. I would love to switch to it but I still need the SMTP interface though. https://developers.cloudflare.com/email-service/
reply
willsmith72
22 minutes ago
[-]
wow thanks. I saw the initial announcement when it was still in private beta, but have been less online lately and missed the public launch. Awesome!!
reply
h4ch1
1 hour ago
[-]
E-mail sending is in beta afaik, you need the Workers paid plan to use it.
reply
willsmith72
22 minutes ago
[-]
thank you!! missed the public launch
reply
atsaloli
4 hours ago
[-]
Yes! I just opened a support case today asking for more fine grained permissions.
reply
pupppet
4 hours ago
[-]
After years of AWS I gave Cloudflare a whirl and loved the UX but ultimately retreated back due to the same concern. They are so close though..
reply
wilj
3 hours ago
[-]
This is exactly what stops me from using them for real work. I love their free tier for my hobby stuff.
reply
wahnfrieden
3 hours ago
[-]
Will never use them without prepayment or spending limit options. Insane to be a bug, attack, or misclick away from 6-7 digit invoice
reply
weird-eye-issue
2 hours ago
[-]
Their pricing is not ridiculous like some providers. It would be very hard to rack up that kind of bill, especially considering their rate limiting rules are now free to use.
reply
behindsight
2 hours ago
[-]
the CTO of Cloudflare (hn: dknecht) said:

> It is in the works. The billing team has been sprinting to fix a lot of debt in this area. I don’t have a date.

https://x.com/dok2001/status/2051220429973389622

reply
teaearlgraycold
4 hours ago
[-]
Just let everyone have access to prod?
reply
corvad
3 hours ago
[-]
One account gets compromised and your doomed. A lot of companies even have prod access be a request based system. Most modern security models with zero trust don't let everyone have access to everything, quite the opposite.
reply
toomuchtodo
4 hours ago
[-]
Poor access and change management governance.
reply
greenchair
3 hours ago
[-]
hooboy that was a good one!
reply
glasshug
3 hours ago
[-]
OpenFeature was new to me, neat! Anyone have experience integrating this? https://openfeature.dev
reply
Atotalnoob
3 hours ago
[-]
It’s pretty useful. We used it at a previous company. We built a custom backend, but used the spec and SDKs.

It took like 2 weeks to build a full custom backend. SDKs across languages worked flawlessly (okay, we did find one bug, reported it, and it was fixed within the day)

reply
swyx
1 hour ago
[-]
i see @btown's comment below but also just for education about this space:

- anyone have comments/comparisons about launchdarkly vs posthog vs statsig (is it still alive after openai?) vs _____ vs cloudflare flagship?

like a "beginner/intermediate/advanced" progression of what to look out for/what you will want when it comes to feature flags would be highly helpful for me and many others here

reply
GeorgeWoff25
19 minutes ago
[-]
I love their free tier but for playful stuff
reply
pm90
3 hours ago
[-]
More of this please: essential tools for building modern software must be oss; Im fine with paying for a hosted version but just the benefit of learning one tool and being able to use it everywhere (linux, k8s, python etc) is amazing.
reply
isodev
3 hours ago
[-]
Cloudflare oss?
reply
zuzululu
2 hours ago
[-]
A bit tangent but related: These things I'm never sure if I should be shipping on day one with mobile apps (Flutter in particular): Flagships, bug gathering, A/B testing ?

I feel strong inclination too but its also way too early before any real users can prove PMF. I've been using Google stuff but wonder if Flagship and perhaps other Cloudflare offerings can help.

The other side is that again it feels too early for this stuff and I just want to ship something quickly.

The work ivnvolved

reply
OsrsNeedsf2P
3 hours ago
[-]
Has anyone struggled to run their own feature flagging service? After root causing slow app starts to be caused by the equivalent offering from Firebase, I've been cautious to use any off the shelf solutions
reply
dboreham
3 hours ago
[-]
It's literally a field in your database. I could never fathom why this needs to be an outsourced service never mind an entire company.
reply
youngprogrammer
3 hours ago
[-]
It can get complicated quickly if you're actually using it in a production system. At my prev enterprise saas company we had feature flags that could be turned on per customer / per environment (dev, staging, prod) with permission + logging model such that our support team could also toggle flags with history of who turned on what. We also had "per user" feature flags for certain test users at companies and had DSL rules to evaluate the features
reply
tuananh
43 minutes ago
[-]
when started, yes. but then you want segment (how you segment your user), rollout strategy, etc.. it will get complicated fast
reply
strix_varius
2 hours ago
[-]
Booleans as a Service
reply
OccamsMirror
2 hours ago
[-]
Thank you! I've never understood why this needs to be an external dependency with network requests.
reply
NicoJuicy
2 hours ago
[-]
Deploy to master ( microservices)
reply
tuananh
45 minutes ago
[-]
this make perfect sense for cloudflare.

and im sure they can drive down the cost , compared to say launchdarkly

reply
ec109685
2 hours ago
[-]
Missing gradual rollout of feature flag changes themselves. Yes, you can do percentage based rollouts for individual features but still should have ability to canary all changes before they cause an insta-sev.
reply
etothet
1 hour ago
[-]
I don’t have experience with the tools Cloudflare has been shipping this year so I can’t speak about the quality, but they have really been pushing out a lot new products and services, no doubt due to agentic coding.
reply
jazzpush2
15 minutes ago
[-]
This is what "Building for the future" looks like post-layoffs, huh?

Can't even ship with app-scoped tokens...

reply
EFLKumo
5 hours ago
[-]
Worth noticing a Vercel equivalent: https://github.com/vercel/flags
reply
fastball
4 hours ago
[-]
That is actually their SDK / provider agnostic library. The better parallel to this new Cloudflare offering is Vercel Flags[1] (confusing I know)

[1] https://vercel.com/docs/flags/vercel-flags

reply
swyx
1 hour ago
[-]
only 2 hard problems in computer science...
reply
EGreg
4 hours ago
[-]
If anyone is interested, you can implement something like that with a few lines of code on the front end. We expose a function that generates a uniformly-distributed hash that you can use for A/B testing and other uses:

  Q.Data.variant()
https://github.com/Qbix/Q.js/blob/main/src/js/Q.minimal.js#L...

And on the back end, you'd use it like this:

https://github.com/Qbix/Platform/blob/main/platform/classes/...

Essentially, this can support a huge number of "variants" and within each variant you can have N equal segments. That will help you do A/B testing and flipping features on or off.

reply
maxdo
2 hours ago
[-]
a flagship with no pirates, all fired due to ai.
reply
throwaway613746
3 hours ago
[-]
Feature flags are so ridiculously simple I have never needed to outsource this to someone else.
reply
odie5533
39 minutes ago
[-]
Do your running services receive streaming updates when Flags are toggled? Is your rule-engine evaluated locally?
reply