Source maps files in production - Is it safe?

Ofer Velich picture Ofer Velich · Dec 7, 2014 · Viewed 28.3k times · Source

I'm using UglifyJS to minify and uglify my sources, and Sentry to report errors from my production environment.

In order to get errors from Sentry, in a readable manner, I need to add source-map

Is it safe to do it in production servers, or the source-maps files should only exist on staging environment?
Is there a way to secure them on production environment?

Answer

John Bernardsson picture John Bernardsson · Sep 1, 2016

Searching for a possible solution to this, and if someone is not specifically using Sentry, I got to this blog post (ironically a Sentry blog post):

https://blog.sentry.io/2015/10/29/debuggable-javascript-with-source-maps.html

Where there is an interesting idea: "private source maps". It implies generating the source maps in someplace that is not accessible from the internet (such as your company VPN), so only you or your team can access the source maps files.

Quoting the "Private Source Maps" section of the post:

[...] all of our examples assume that your source maps are publicly available, and served from the same server as your executing JavaScript code. In which case, any developer can use them to obtain your original source code.

To prevent this, instead of providing a publicly-accessible sourceMappingURL, you can instead serve your source maps from a server that is only accessible to your development team. For example, a server that is only reachable from your company’s VPN.

//# sourceMappingURL: http://company.intranet/app/static/app.min.js.map

When a non-team member visits your application with developer tools open, they will attempt to download this source map but get a 404 (or 403) HTTP error, and the source map will not be applied.

Seems like a good idea to me!