Exposed Source Maps: Reverse-Engineering Your Frontend
What source maps are for
Source maps (.map files) let your browser's developer tools show original, readable source instead of minified bundles when debugging. They're invaluable in development. Deployed to production and left public, they undo minification for everyone.
What they reveal
A public source map reconstructs your original source code — complete with:
- Comments and internal notes you assumed no one would read.
- File and folder structure that maps your application.
- Logic, variable names, and sometimes hard‑coded values or endpoints that minification obscured.
For an attacker analyzing your frontend, a source map turns a tedious reverse‑engineering job into simply reading your code.
How it happens
Build tools generate source maps by default, and a deploy step ships them alongside the minified assets. The .map files then sit next to your JavaScript, reachable by appending .map to the bundle URL.
How to check and fix it
- Try appending
.mapto one of your JavaScript file URLs. If a JSON source map loads, it's exposed. - Disable source‑map generation for production builds, or upload them privately to your error‑monitoring tool instead of deploying them.
- If you need them for debugging, restrict access to authenticated internal users.
Safeey checks your assets
Safeey inspects your JavaScript for publicly reachable source maps and flags them. Run a scan.
See what your site exposes
Safeey runs 1,700+ checks and shows you exactly what an attacker would find — with the fixes.
Scan your site