Skip to main content
Flipt v2’s default configuration is designed for local development and quick start. To run Flipt v2 reliably in production, you should review and adjust the following configuration options.

​
Logging

Debug logging is useful during development or troubleshooting, but under load it consumes CPU and produces excessive noise that can bury important signals. Set the log level to info in production: 
FLIPT_LOG_LEVEL=info
For structured log output suitable for log aggregation systems, you can also set the encoding to json: 
FLIPT_LOG_ENCODING=json
See the Observability documentation for more logging configuration options.

​
Profiling Endpoints

Flipt exposes pprof profiling endpoints at /debug/pprof. These are invaluable for debugging performance issues but can expose sensitive runtime information if publicly accessible. Disable profiling in production unless you actively need it: 
FLIPT_DIAGNOSTICS_PROFILING_ENABLED=false
If you need profiling in production, restrict access to internal networks only.

​
Update Checks

By default, Flipt v2 checks for newer versions on startup. This can be disabled in air-gapped or security-sensitive environments: 
FLIPT_META_CHECK_FOR_UPDATES=false

​
Prometheus Metrics

Flipt v2 exposes Prometheus metrics at the /metrics HTTP endpoint by default. Ensure this endpoint is not publicly accessible - restrict it via network policies, reverse proxy rules, or your ingress configuration. If you do not require metrics, you can disable them: 
FLIPT_METRICS_ENABLED=false
For production, Flipt also supports exporting metrics to an OTLP collector for integration with observability platforms such as Datadog, Honeycomb, or New Relic. See the Observability documentation for more details.

​
CORS Configuration

If you are integrating Flipt v2 with a client-side application (for example, a browser-based frontend built with React, Vue, Angular, or similar frameworks), you must enable and properly configure CORS to allow requests from your frontend domain. For security reasons, restrict allowed_origins to your known frontend URLs instead of using the wildcard *. 
FLIPT_CORS_ENABLED=true
FLIPT_CORS_ALLOWED_ORIGINS=https://app.example.com

​
Storage Configuration

Flipt v2 supports two storage backend types:
  • memory (default): In-memory store. Data is lost on restart.
  • local: Persists data to the local filesystem. Data survives restarts.
Both backends can be paired with a git remote to sync flag state to and from a remote Git repository for persistence, history, and collaboration across deployments. For production, use the local backend with a git remote: 
storage:
  default:
    backend:
      type: local
      path: /var/lib/flipt
    remote: https://github.com/your-org/flags.git
    branch: main
For private repositories, you’ll also need to configure credentials. See the Storage documentation and Git Sync guide for more details.

​
Authentication and Authorization

In production, you should enable authentication to control access to Flipt v2: 
FLIPT_AUTHENTICATION_REQUIRED=true
Flipt v2 supports multiple authentication methods including GitHub OAuth and OIDC. See the Authentication documentation for configuration details. For fine-grained access control, configure RBAC policies using OPA-based authorization to restrict what authenticated users can do.

​
Backup Strategy

Flipt v2’s Git-native storage means your feature flag data is already version-controlled in a Git repository. Ensure your backup strategy covers:
  • Git repository: The source Git repository should be backed up by your Git provider (e.g. GitHub, GitLab). Consider mirroring to a secondary repository for additional redundancy.
  • Analytics data: If using ClickHouse, ensure that data is backed up according to your organizational policies.

​
Next Steps