I use Sentry — do I still need source maps?

Yes, but use `hidden-source-map` mode. The maps get uploaded to Sentry during build but are not deployed with your site. You get stack traces in error reports without exposing source to everyone.

Is obscurity a real defense?

No — that is not the argument. The argument is that source maps often reveal undocumented APIs, feature flags, and internal routes that you never advertised publicly. Hiding them buys you nothing against a determined attacker but lots against opportunistic ones.

Medium severity

How to fix exposed source maps in production

Your production build is serving source maps (`.js.map` files). These let anyone download your original, un-minified source code with comments and variable names intact. That is fine for open-source projects, bad for closed-source apps that rely on code obscurity or accidentally leak internal API routes. Turn off source maps in production, or make sure no server-side code is bundled into them.

Why it matters

Source maps expose business logic, internal API endpoints, feature flags, and sometimes comments that reveal authentication bypasses. For apps with billing logic or admin routes, this is a roadmap for attackers.

How to check

01Open DevTools → Sources. If you see folders named after your source files (not `webpack://` chunks), source maps are on.
02Or try `https://your-site.com/_next/static/chunks/main-abc.js.map`.
03Any 200 response means maps are public.

Or let SafeToShip check it for you in 60 seconds:

How to fix it

Next.js

Set `productionBrowserSourceMaps: false` in next.config.js (it is false by default, so check you did not turn it on).

module.exports = {
  productionBrowserSourceMaps: false,
};

Vercel (non-Next)

Check your bundler config (Vite, esbuild, webpack). Set sourcemap to false for production builds, or to `hidden` if you want them for error reporting but not served.

AI prompt

Copy-paste into your AI tool

Paste this prompt into Cursor, Lovable, Bolt, v0, or Claude Code and it will walk through the fix for your specific codebase.

My production build is serving JavaScript source maps. Find my bundler config and disable source maps in production, or switch to hidden source maps that are uploaded to my error tracker (Sentry) but not deployed with the site.

FAQ

Frequently asked questions

I use Sentry — do I still need source maps?: Yes, but use `hidden-source-map` mode. The maps get uploaded to Sentry during build but are not deployed with your site. You get stack traces in error reports without exposing source to everyone.
Is obscurity a real defense?: No — that is not the argument. The argument is that source maps often reveal undocumented APIs, feature flags, and internal routes that you never advertised publicly. Hiding them buys you nothing against a determined attacker but lots against opportunistic ones.

Related fix guides

Fix these too

Exposed .git directory

An exposed .git directory lets attackers download your entire source history, including deleted secrets. Here is how to check and fix it.

Hardcoded API key in JS

Any secret in your client bundle is public. Here is how to find them, rotate them, and move the calls server-side.

Exposed Next.js build files

Build artifacts like .next directory, BUILD_ID, or server-side bundles should not be publicly reachable. Here is how to lock them down.

Free tools

Check this yourself

Exposed files checker

Find .env, .git, and other sensitive files before attackers do.

Platform guides

Building on these platforms?

Next.js security

Next.js is the most popular React framework, but even experienced developers miss security headers and accidentally expose server files in production.

Vercel security

Vercel handles hosting and SSL, but your application code still needs security hardening. Missing CSP headers and exposed environment variables are the top issues.

Scan your site for this and 50+ other issues

Free scan. Results in 60 seconds. No account required.