Use a fuzzer to inject random headers. But for this specific case, craft targeted requests:
: Implement automated scanners in your pipeline to flag "TODO" comments, "FIXME" notes, or hardcoded strings like X-Dev-Access before they ever reach a branch. The Bottom Line Jack’s note is a classic example of a technical debt note: jack - temporary bypass: use header x-dev-access: yes
If any endpoint returns a successful response (HTTP 200/201/204) that normally requires authentication, the bypass is active. Use a fuzzer to inject random headers