I use Sentry — do I still need source maps?

Yes, but use `hidden-source-map` mode. The maps get uploaded to Sentry during build but are not deployed with your site. You get stack traces in error reports without exposing source to everyone.

Is obscurity a real defense?

No — that is not the argument. The argument is that source maps often reveal undocumented APIs, feature flags, and internal routes that you never advertised publicly. Hiding them buys you nothing against a determined attacker but lots against opportunistic ones.

Medium severity · Vercel

Exposed source maps on Vercel

Your production build is serving source maps (`.js.map` files). These let anyone download your original, un-minified source code with comments and variable names intact. That is fine for open-source projects, bad for closed-source apps that rely on code obscurity or accidentally leak internal API routes. Turn off source maps in production, or make sure no server-side code is bundled into them.

The fix for Vercel

Vercel (non-Next)

Check your bundler config (Vite, esbuild, webpack). Set sourcemap to false for production builds, or to `hidden` if you want them for error reporting but not served.

Why it matters

Source maps expose business logic, internal API endpoints, feature flags, and sometimes comments that reveal authentication bypasses. For apps with billing logic or admin routes, this is a roadmap for attackers.

Confirm the fix worked

Scan your Vercel site to confirm this finding is gone.

AI prompt

Apply across your codebase

Paste this into Cursor, Lovable, Bolt, v0, or Claude Code.

My production build is serving JavaScript source maps. Find my bundler config and disable source maps in production, or switch to hidden source maps that are uploaded to my error tracker (Sentry) but not deployed with the site.

FAQ

Frequently asked questions

I use Sentry — do I still need source maps?: Yes, but use `hidden-source-map` mode. The maps get uploaded to Sentry during build but are not deployed with your site. You get stack traces in error reports without exposing source to everyone.
Is obscurity a real defense?: No — that is not the argument. The argument is that source maps often reveal undocumented APIs, feature flags, and internal routes that you never advertised publicly. Hiding them buys you nothing against a determined attacker but lots against opportunistic ones.

Related fix guides

Spot-check this

Exposed files checker

Find .env, .git, and other sensitive files before attackers do.

Exposed source maps on Vercel

The fix for Vercel

Vercel (non-Next)

Why it matters

Confirm the fix worked

Apply across your codebase

Frequently asked questions

Fix these too

Exposed .git directory

Hardcoded API key in JS

Exposed Next.js build files

Spot-check this

Exposed files checker