All posts
|2 min read

What your source maps reveal about your security posture

Source maps are a debugging convenience that most teams forget to disable in production. Here's what they expose and why it matters.

source-mapsapplication-securityOWASP

Most development teams ship source maps to production without thinking about it. Webpack, Vite, and Next.js all generate them by default. They're useful for debugging. They're also a direct window into your entire codebase.

What a source map contains

A .map file is a JSON document that maps minified production code back to the original source. When one is publicly accessible, anyone with a browser can reconstruct your application's full source code. Not fragments. The whole thing.

That includes internal API routes, environment variable references, authentication logic, database query patterns, and (sometimes) hardcoded secrets that made it past code review.

How we detect it

During a secureless scan, we check every JavaScript bundle served by your application. For each one, we request the corresponding .map file. If it responds with a 200 and valid JSON, that's a finding.

We then analyze the source map contents for sensitive patterns: API keys, internal endpoints, configuration objects, and system prompts (for applications using LLMs).

Why automated scanners miss this

Traditional security rating platforms check your DNS, SSL certificate, and HTTP headers. They don't download your JavaScript bundles. They don't request source maps. They don't analyze what's inside them.

This is the kind of finding that only shows up when you go deeper than infrastructure-level checks.

How to fix it

The fix is straightforward. Block .map files at your CDN or web server.

CloudFront: Add a behavior pattern for *.map that returns a 403 response.

nginx:

location ~* \.map$ {
    return 403;
}

Next.js: Set productionBrowserSourceMaps: false in your next.config.js (this is the default in recent versions, but older projects may have it enabled).

After you've made the change, run a verification rescan on secureless to confirm the fix is in place. You'll see the finding move from "open" to "resolved" immediately.

The bigger picture

Source map exposure is one of over 200 checks in a secureless scan. On its own, it's a critical finding. Combined with other discoveries (like an exposed API endpoint found in the source map), it becomes an attack chain that tells a much more concerning story.

That's why we don't just check a list. We investigate.

Want to see what your security posture looks like from the outside?

Scan any domain free