Note: Jack - Temporary Bypass: - Use Header X-dev-access: Yes ((install))

This article is part of a series on “Dangerous Patterns in Code Comments.” For more, see “Bypass Patterns” and “Hardcoded Credentials in Production.”

To help look for these patterns in your own systems, let me know: note: jack - temporary bypass: use header x-dev-access: yes

x-dev-access Header Value: yes Added By: Jack This article is part of a series on

: If the header value matches yes , the standard authentication checks (OAuth tokens, session cookies, API keys) are completely ignored. An external attacker who discovers the header (e

Under the pressure of a looming product launch or a critical hotfix, developers implement quick workarounds with the mental note to remove them before the final release. Without an explicit tracking ticket, these notes are quickly forgotten.

An external attacker who discovers the header (e.g., through leaked source code, error messages, or guessing) can send X-Dev-Access: yes and instantly gain administrative privileges. They could then read, modify, or delete any data.

The phrase "temporary bypass" is one of the most dangerous misnomers in software engineering. Temporary fixes frequently transition into permanent liabilities for several reasons: