Medium severity · Next.js

Exposed source maps on Next.js

Your production build is serving source maps (`.js.map` files). These let anyone download your original, un-minified source code with comments and variable names intact. That is fine for open-source projects, bad for closed-source apps that rely on code obscurity or accidentally leak internal API routes. Turn off source maps in production, or make sure no server-side code is bundled into them.

The fix for Next.js

Next.js

Set `productionBrowserSourceMaps: false` in next.config.js (it is false by default, so check you did not turn it on).

module.exports = {
  productionBrowserSourceMaps: false,
};

Why it matters

Source maps expose business logic, internal API endpoints, feature flags, and sometimes comments that reveal authentication bypasses. For apps with billing logic or admin routes, this is a roadmap for attackers.

Confirm the fix worked

Scan your Next.js site to confirm this finding is gone.

AI prompt

Apply across your codebase

Paste this into Cursor, Lovable, Bolt, v0, or Claude Code.

My production build is serving JavaScript source maps. Find my bundler config and disable source maps in production, or switch to hidden source maps that are uploaded to my error tracker (Sentry) but not deployed with the site.

FAQ

Frequently asked questions

I use Sentry — do I still need source maps?
Yes, but use `hidden-source-map` mode. The maps get uploaded to Sentry during build but are not deployed with your site. You get stack traces in error reports without exposing source to everyone.
Is obscurity a real defense?
No — that is not the argument. The argument is that source maps often reveal undocumented APIs, feature flags, and internal routes that you never advertised publicly. Hiding them buys you nothing against a determined attacker but lots against opportunistic ones.

Related fix guides

Fix these too

Exposed .git directory

An exposed .git directory lets attackers download your entire source history, including deleted secrets. Here is how to check and fix it.

Read more

Hardcoded API key in JS

Any secret in your client bundle is public. Here is how to find them, rotate them, and move the calls server-side.

Read more

Exposed Next.js build files

Build artifacts like .next directory, BUILD_ID, or server-side bundles should not be publicly reachable. Here is how to lock them down.

Read more

Free tools

Spot-check this

Exposed files checker

Find .env, .git, and other sensitive files before attackers do.

Read more