Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Source maps files in production - Is it safe? [closed]

I'm using UglifyJS to minify and uglify my sources, and Sentry to report errors from my production environment.

In order to get errors from Sentry, in a readable manner, I need to add source-map

Is it safe to do it in production servers, or the source-maps files should only exist on staging environment?
Is there a way to secure them on production environment?

like image 881
Ofer Velich Avatar asked Dec 07 '14 17:12

Ofer Velich


People also ask

Is it safe to have source maps in production?

Most JavaScript and CSS sources are usually minified and source maps serve as a memory map to the compressed files. It's generally a good practice to minify and combine your assets (Javascript & CSS) when deploying to production.

Is it safe to remove map files?

There's nothing wrong in removing the source maps via a post build script. But if you can prevent generating the source maps in the first place, then it will save you a few seconds of build time.

Should you ship source maps?

But source maps have long been seen merely as a local development tool. Not something you ship to production, although people have also been doing that, such that live debugging would be easier. That in itself is a great reason to ship source maps.

What are source map files?

A source map is a file that maps from the transformed source to the original source, enabling the browser to reconstruct the original source and present the reconstructed original in the debugger. To enable the debugger to work with a source map, you must: generate the source map.


1 Answers

Searching for a possible solution to this, and if someone is not specifically using Sentry, I got to this blog post (ironically a Sentry blog post):

https://blog.sentry.io/2015/10/29/debuggable-javascript-with-source-maps.html

Where there is an interesting idea: "private source maps". It implies generating the source maps in someplace that is not accessible from the internet (such as your company VPN), so only you or your team can access the source maps files.

Quoting the "Private Source Maps" section of the post:

[...] all of our examples assume that your source maps are publicly available, and served from the same server as your executing JavaScript code. In which case, any developer can use them to obtain your original source code.

To prevent this, instead of providing a publicly-accessible sourceMappingURL, you can instead serve your source maps from a server that is only accessible to your development team. For example, a server that is only reachable from your company’s VPN.

//# sourceMappingURL: http://company.intranet/app/static/app.min.js.map

When a non-team member visits your application with developer tools open, they will attempt to download this source map but get a 404 (or 403) HTTP error, and the source map will not be applied.

Seems like a good idea to me!

like image 102
John Bernardsson Avatar answered Oct 14 '22 17:10

John Bernardsson