I am using bug tracking software to report any errors that occur in a web browser but the code on my production site is minified. As a result, debugging is near impossible (variable names are changed, etc.).
I want to put a full source map file in production so I can debug these errors but have heard some concerns about privacy/security in doing this. Since minified JavaScript can be un-minifed and reverse engineered without a source map, I am wondering if this is a legitimate concern. All I can see is that it would just make that process faster.
Is there a legitimate security concern for putting a sourcemap into the public domain?
I am using bug tracking software to report any errors that occur in a web browser but the code on my production site is minified. As a result, debugging is near impossible (variable names are changed, etc.).
I want to put a full source map file in production so I can debug these errors but have heard some concerns about privacy/security in doing this. Since minified JavaScript can be un-minifed and reverse engineered without a source map, I am wondering if this is a legitimate concern. All I can see is that it would just make that process faster.
Is there a legitimate security concern for putting a sourcemap into the public domain?
Share Improve this question asked Jun 2, 2017 at 19:19 Ben RondeauBen Rondeau 3,0531 gold badge16 silver badges22 bronze badges 2- Security? no. Someone will copy your code/ find out what it does more easily? Yes – Jonas Wilms Commented Jun 2, 2017 at 19:21
- Similar incorrectly closed question-stackoverflow.com/questions/27345520/… – Michael Freidgeim Commented Aug 7, 2021 at 13:04
2 Answers
Reset to default 19As opposed to what others are saying, there is a security aspect to it.
You are right in that it is possible to analyse (un-minify, etc.) the source without the source map too. It will never be 100% secure as you know. However, security is about capabilities and effort, and the risk that comes from these. It's about your threat model and attacker model.
A real world attacker often doesn't have unlimited resources, but has limited knowledge of your software. So while strictly speaking an obfuscated Javascript code without a source map is technically equivalent to the actual source code because it can be inspected when run on the client anyway, in the real world there is a significant difference in the effort, skill and resources needed for this.
So while I'm not at all advocating security by obscurity, and I firmly think your code should be secure against an attacker that has the source code, this will not always be the case in reality, there will be vulnerabilities, and those will be easier to discover for an attacker if source maps are available.
Only concern would be making it easier for someone to dupe your code. No security issues beyond that.