Environments Are Not Features: A Real Sandbox Architecture
One frontend, many environments: how proxy-based routing, identity copying and hard reloads build a real sandbox architecture that holds up.
This piece examines the architectural pitfalls of serving multiple environments — production and sandbox — through a single frontend. Its core claim is that environments are boundaries, not features, and boundaries only hold when enforced structurally rather than assumed. The recommended pattern keeps the frontend deliberately unaware of which environment it's in, delegating all routing decisions to a backend proxy layer. UI indicators of the current environment should reflect what the backend actually did (via headers or response flags), never client-side state that can drift or lie.
Identity emerges as the most fragile part of the design. Centralizing identity across environments is clean in theory but dangerous in practice, so the author favors having production own identity while other environments copy only the minimal data needed to validate sessions — user id and credentials — through a one-way, incremental sync. Payment data, domain data, and history are never copied, and where sync commands can run is explicitly locked down via configuration.
Other recommended practices include hard-reloading on environment switches with a safe landing page, keeping authentication and sensitive routes in production, allowing temporary debug logging in lower environments, and ensuring deployment scripts genuinely enforce restarts rather than just hoping for them. The underlying message: in a well-designed multi-environment system, it's sandbox that absorbs the cost of mistakes, not production.