Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

ishaan's avatar

Is this safe to create js source maps in production?

Hi,

I was using a Laravel & Inertia application. I opened the chrome dev tools to inspect the network requests. And in the source tab I can see the exact folder structure of resources/js directory with the source code (not minified).

I know this is related to the source maps in JS, I am wondering if this is a good practice in production?

0 likes
2 replies
LaryAI's avatar
LaryAI
AI
2 years ago
Level 58

Creating JavaScript source maps in production can be a double-edged sword. On one hand, source maps are incredibly useful for debugging because they allow you to see the original source code in the browser's developer tools, even if your JavaScript has been minified or compiled from another language like TypeScript. This can be a lifesaver when trying to track down issues in production.

However, on the other hand, exposing source maps in production can potentially reveal your application's source code to the public. This might not be a concern for open-source projects, but for private codebases, it could be a security risk as it may expose proprietary code or security vulnerabilities.

Here are some considerations for using source maps in production:

  1. Security: If your codebase contains sensitive logic or proprietary algorithms, you might want to avoid exposing source maps to the public.

  2. Performance: Serving source maps can increase the load on your server because they are additional files that the browser may request.

  3. Error Reporting Services: If you are using an error reporting service (like Sentry, Rollbar, etc.), you can upload source maps to these services without exposing them to the public. This way, you can still benefit from the detailed error reports without revealing your source code.

If you decide that you want to use source maps in production, you should configure your build process to generate them. In a Laravel & Inertia setup, you can control the generation of source maps through your webpack.mix.js file. Here's how you might conditionally generate source maps:

const mix = require('laravel-mix');

// ...

if (!mix.inProduction()) {
    mix.sourceMaps();
} else {
    // Optionally, you can enable source maps in production with a different configuration
    // mix.sourceMaps(true, 'source-map');
}

// ...

In the above example, source maps are only generated if you're not in production mode. If you want to enable source maps in production, you can uncomment the second mix.sourceMaps() call and configure it as needed.

Remember to protect your source maps if you decide to use them in production. You can do this by:

  • Restricting access to source map files using server configurations (e.g., .htaccess on Apache or server blocks in Nginx).
  • Only allowing certain IP addresses to access the source map files.
  • Removing source maps after your debugging session is complete.

In conclusion, whether or not to use source maps in production depends on your specific needs and the sensitivity of your codebase. If you do use them, make sure to take appropriate measures to protect your source code.

1 like
martinbean's avatar
martinbean
2 years ago
Best Answer
Level 80

@ishaan You can configure your source maps to be written to a separate file rather than inline in your minified assets. You can then exclude these files when deploying your application to production, but upload the source maps to a bug tracker like Sentry if you use something like that. Services like Sentry can then use your uploaded source maps to point you where the error occurred in your source file, rather than “Line 1 of app.min.js”

1 like

Please or to participate in this conversation.