mediumWeb Security

Exposed Source Maps in Production Leak Application Source Code

What Is This Vulnerability?

Source maps are files that map minified production JavaScript back to the original source code. When these files are accessible in production, anyone can reconstruct your entire frontend codebase, including business logic, API endpoints, internal comments, and patterns that reveal how your application handles authentication and authorization.

Why It Happens

Build tools like Webpack, Vite, and Next.js generate source maps by default to aid debugging. Developers often forget to disable source map generation or restrict access to .map files before deploying to production. Some hosting configurations serve all static files without filtering by extension.

Example Code

Vulnerablenext.config.ts
const nextConfig = {
  // Source maps are generated and publicly accessible
  productionBrowserSourceMaps: true,
  webpack(config) {
    config.devtool = "source-map";
    return config;
  },
};

export default nextConfig;
Fixednext.config.ts
const nextConfig = {
  productionBrowserSourceMaps: false,
  webpack(config, { isServer }) {
    if (!isServer) {
      config.devtool = false;
    }
    return config;
  },
};

export default nextConfig;

How Hackers Exploit It

An attacker inspects your page, finds references to .js.map files in the minified bundles, and downloads them. Using a source map explorer, they reconstruct the original code. This reveals API endpoint structures, client-side validation logic, hidden admin routes, error handling patterns, and comments that may contain credentials or internal documentation.

How to Fix It

Disable browser source map generation in your production build configuration. In Next.js, set productionBrowserSourceMaps to false. If you need source maps for error monitoring (like Sentry), upload them directly to the monitoring service and do not serve them publicly. Add server rules to block requests for .map files.

Frequently Asked Questions

How can I check if my site exposes source maps?
Open your browser DevTools, go to the Sources tab, and check if original source files appear. You can also append .map to any JavaScript bundle URL in your browser. If the map file downloads, your source maps are publicly accessible.
Can I use source maps for error tracking without exposing them?
Yes. Services like Sentry, Datadog, and Bugsnag accept source map uploads via their CLI or build plugins. The maps are stored on their servers and used to symbolicate stack traces. They are never served to end users.
Do source maps expose server-side code?
Typically no. Browser source maps only contain client-side code. However, in universal/SSR frameworks like Next.js, shared modules may contain logic that runs on both server and client, potentially exposing server-side patterns and utility functions.

Related Security Topics

Missing Subresource Integrity on CDN Scripts Enables Supply Chain Attacks

Learn about missing subresource integrity on cdn scripts enables supply chain attacks and how to fix it.

Open Redirect Vulnerability Enables Phishing and Token Theft

Learn about open redirect vulnerability enables phishing and token theft and how to fix it.

Clickjacking Vulnerability Due to Missing Frame Protection

Learn about clickjacking vulnerability due to missing frame protection and how to fix it.

Check Your Code for This Vulnerability

Run a free scan to check if your site is affected by exposed source maps in production leak application source code.