An exposed source map check verifies whether production .map files are reachable, referenced by bundles, or leaking code context. If they are public, remove them, restrict access, or move them to a private error monitoring workflow before launch. Treat this as a preflight check, especially for AI-built apps where generated build settings often ship defaults you did not review.
Run an exposed source map check
Source maps translate minified JavaScript back into readable application structure. They are useful for debugging, but public access changes the risk profile. An attacker may not get your server secrets directly, but they can learn routes, feature flags, API shapes, validation logic, and comments that were never meant for users.
The most common findings are practical, not theoretical:
- original source paths reveal repo structure, framework conventions, and internal module names.
- source code reconstruction makes business logic and client-side guards easier to inspect.
- hidden endpoint discovery exposes admin routes, beta APIs, and internal feature paths.
- error context leakage can reveal comments, TODOs, or defensive assumptions.
- deployment drift leaves old maps online after the bundle has changed.
A good first pass checks both references and direct access. If a minified file ends with a sourceMappingURL comment, browsers and tools know where to fetch the related map. Even if that comment is removed, predictable filenames can still expose maps when the hosting layer serves every generated asset.
Use a quick local and remote check before launch:
BUILD_DIR=dist
find "$BUILD_DIR" -name '*.map' -type f
grep -R --line-number 'sourceMappingURL=.*.map' "$BUILD_DIR" || true
curl -I https://example.com/assets/app.js.map
curl -I https://example.com/_next/static/chunks/main.js.map
grep -R --line-number 'sk_live\|secret\|password' "$BUILD_DIR"/*.map 2>/dev/nullDo not stop at a 404 on one guessed file. Check the actual generated asset manifest, framework output folder, CDN path, and browser network tab. Public source maps often appear under hashed chunk names, not only under obvious app.js.map paths.
For broader coverage, combine this manual pass with a source map scanner and a JavaScript bundle scan. One finds reachable map files, the other checks whether the public bundle itself contains sensitive strings.
Validate your build settings
Most exposure comes from build configuration, not from a developer intentionally publishing maps. AI-generated setup files may copy defaults from examples, enable debugging for convenience, or leave production and staging behavior identical.
Review the exact build mode used by your deployment pipeline. A local production build is not always the same artifact that your host publishes. Some platforms run their own build command, use cached environment variables, or upload every file produced by the framework.
Check these settings in order:
- Confirm whether production source maps are generated.
- Confirm whether the map reference comment is included in final JavaScript.
- Confirm whether the hosting publish directory includes .map files.
- Confirm whether the CDN caches old .map files after redeploy.
- Confirm whether error monitoring needs private upload instead.
The safer pattern is usually private map upload. Your build can generate maps, upload them to an error tracking service, then delete them before public deployment. That keeps stack traces useful without handing readable code context to the internet.
Framework names differ, but the control points are similar. Look for options that mention sourcemap, productionBrowserSourceMaps, hidden source maps, devtool, or build output tracing. A hidden source map can still exist in the artifact, so verify what is actually served from the deployed URL.
Also inspect environment-specific branches. A common mistake is this pattern: staging disables maps, production enables them for better debugging. That reverses the intended risk decision. Production should have the stricter public asset policy unless you have a documented exception.
If your app is already online, run the check through the public domain, not only from the repository. A local folder can look clean while the CDN still serves previous bundle map files from cache. Purge or invalidate old paths after changing the build.
Fix exposure before launch
The right fix depends on what is exposed. If maps only reveal route names and frontend structure, the fix may be straightforward. If they include comments, internal API paths, or copied secrets, treat it as an incident and rotate anything sensitive.
Apply these fixes in sequence:
- Remove public maps from the deployed asset directory.
- keep maps private through your error monitoring upload step.
- Strip map comments from production JavaScript when maps are not public.
- Block direct access to .map paths at the edge or web server.
- Rotate exposed secrets if any key, token, or credential appears.
Blocking .map files is a useful defense, but it should not be the only control. If your deployment artifact includes sensitive maps, a routing mistake can expose them again. Remove the files before upload whenever possible, then add deny rules as a backstop.
For example, a CDN or reverse proxy rule can return 404 for paths ending in .map. That protects against predictable requests, but you still need to inspect the artifact. If the map file was uploaded to object storage with public listing enabled, a path rule on the app domain may not cover it.
Secrets inside maps require more work. Do not assume a deleted file removes the risk. Public caches, build logs, browser caches, and third-party scanners may already have stored it. Rotate keys, revoke old tokens, and check whether the exposed value had access to billing, storage, email, or admin APIs.
This is also where an external security scan helps. AISHIPSAFE checks public exposure from the attacker’s viewpoint, which catches the gap between repo assumptions and production reality. For larger apps, a deep scan can cover more paths, bundles, and deployment surfaces before users arrive.
Add it to release checks
A one-time fix is not enough. Source map exposure can return when a framework is upgraded, a build command changes, or a teammate enables debugging to diagnose a production bug. Make it part of your release checklist, not a memory test.
Use this short prelaunch checklist:
- Confirm no public .map files return 200 from the production domain.
- Confirm minified bundles do not reference reachable map URLs.
- Confirm old CDN paths were purged after the fix.
- Confirm private map upload still works for error diagnostics.
- Confirm no secrets, tokens, or internal-only comments exist in client artifacts.
- Confirm the same policy applies to preview, staging, and production.
The staging point matters. Many teams lock down production but leave preview deployments public. An attacker does not care which subdomain leaks readable source context. If preview builds use real API endpoints or shared environment variables, treat them like production from a scanning perspective.
Document the accepted outcome. A clean result usually means public requests for maps return 404 or 403, bundle comments do not point to public maps, and private observability still receives uploaded maps. That is a balanced setup: debuggable for the team, opaque to outsiders.
Use Fail closed as the default release rule. If the build pipeline cannot prove maps were removed or privately uploaded, stop the deploy until the artifact is reviewed. This is a small delay compared with rotating keys and explaining exposed internals after launch.
Make the launch decision
A public map is not always a critical breach, but it is rarely worth shipping by accident. If maps expose readable logic, internal routes, or sensitive strings, fix them before launch. If requests are blocked, caches are purged, and private debugging still works, the app is usually safe to launch.
Faq
Are source maps always unsafe in production?
No. Source maps are unsafe when they are publicly reachable or include sensitive context. Many teams generate them during production builds, upload them privately to monitoring tools, then delete them from public assets. The risk comes from public access, stale cached files, and secrets embedded in client-side code.
What status code should a .map file return?
For public users, a production .map request should usually return 404 or 403. A 404 is cleaner because it avoids confirming the file exists. The key is consistency across app paths, CDN URLs, preview deployments, and old hashed assets that may still be cached.
Should i rotate keys found in a source map?
Yes, if the value grants real access or could be abused. Delete the map, purge caches, rotate the exposed key, and review logs for use after exposure. Public client identifiers may not need rotation, but private tokens, service keys, signing secrets, and database credentials do.
If you want a quick outside-in check before shipping, run AISHIPSAFE and confirm your production assets do not expose source maps, secrets, or avoidable launch risks.