11

Source maps are a convenient way to work with directly with code that has been obfuscated and/or minified, yet trace errors back to the original "pretty" code.

My understanding is that obfuscating and minifying code generally does not do anything useful from a security standpoint, so my instinct is that providing files that reverse this process shouldn't be a problem. And providing them can lead to better error reports and faster reproducing of live problems.

Is there any good security reason to include or restrict the presence of .map files on live production web servers?

Robert
  • 607
  • 5
  • 13
  • 1
    **Anything** not directly related to the main service has no place on live production rigs. By reducing attack surface you are protecting (somewhat) from unknown threats. – Deer Hunter Feb 12 '16 at 19:46
  • 1
    Related question on Stack Overflow: http://stackoverflow.com/questions/27345520/source-maps-files-in-production-is-it-safe – ShreevatsaR Oct 18 '16 at 19:47

1 Answers1

5

Open Chrome dev tools on any site you know has a source map included, click sources tab and you will immediately see why including source maps on prod is a bad idea. You will get a tonne of information on project structure as stored on disk. This is a particular problem for modern sites that use a component based framework. I.e every view has its own controller, view and css partial.

On a site like this you will see the entire project file and folder structure as stored on the disk. This is dangerous for various reasons, not least the broad partial path disclosure and naming conventions you are giving away.

TrickyDupes
  • 2,809
  • 1
  • 13
  • 27