Security
SecurityLow

Source Maps

Checks for exposed source maps that reveal original source code.

What this check measures

We look for `.js.map` files referenced in JS files via `//# sourceMappingURL=...`. Public source maps let anyone reconstruct your original TypeScript/JSX from the minified bundle.

Why it matters

Source maps are useful for debugging, dangerous in production. They reveal your variable names, file structure, and sometimes unfinished features. Intellectual property and security posture both leak.

search

How our audit detects it

Parse JS files for sourceMappingURL comments. Attempt to fetch the referenced .map file. 200 response = exposed.

Typical findings

  • error_outlinemain.js.map accessible publicly — full TypeScript source reconstructible.
  • error_outlineVercel deployment with source maps enabled by default.

How to fix

Disable source map generation for production builds, or upload them only to your error-tracking service (Sentry etc.) and delete from the public bundle. Next.js: `productionBrowserSourceMaps: false` in next.config.js.

Frequently asked questions

Can I keep them for Sentry?expand_more
Yes — upload to Sentry via their CLI and exclude from the deployed assets. Best of both worlds.

Want this checked on your site?

Pantra runs the full audit (SEO, Security, GEO, Performance, Schema, Technical, Images) in 10 seconds and generates stack-specific fix prompts.

Scan my site

Related checks

Security

HTTPS Enabled

Checks that the site serves over HTTPS and redirects HTTP to HTTPS.

Security

TLS Version

Checks that the server uses TLS 1.2 or higher — older versions are broken.

Security

Mixed Content

Checks for HTTP resources loaded on HTTPS pages — browsers block or warn.

Security

SSL Certificate

Checks that the SSL certificate is valid, not expired, and not expiring soon.

Learn more in the Glossaryarrow_forward