Cal.com Has productionBrowserSourceMaps: true. So Might You.
Cal.com Has productionBrowserSourceMaps: true. So Might You.
Cal.com is one of the most polished open-source Next.js projects out there. Over 34k GitHub stars. Actively maintained. Used by real companies for real scheduling. And their next.config.js ships source maps to production.
// cal.com's next.config.js
productionBrowserSourceMaps: true
One line. That's all it takes to serve your entire original source code to anyone who opens DevTools.
What source maps actually expose
Source maps are debugging files that map your minified, bundled production JavaScript back to the original source code. When they're publicly accessible, anyone can:
- Read your entire client-side codebase — every component, every utility function, every comment you left in the code
- Understand your business logic — pricing calculations, feature flags, A/B test conditions, admin route structures
- Find vulnerabilities faster — instead of reverse-engineering minified code, attackers read your source directly
- Discover API patterns — endpoint structures, request/response shapes, authentication flows
This isn't theoretical. Open DevTools on any site serving source maps, go to the Sources tab, and you'll see the original file tree. Every .tsx file. Every hook. Every API call.
How to check your project in 10 seconds
For Next.js: Open your next.config.js (or .ts, or .mjs). Search for productionBrowserSourceMaps. If it's set to true, you're exposed. If it's absent, you're fine — the default is false.
grep -r "productionBrowserSourceMaps" next.config.*
For Vite/Webpack: Check your build config for sourcemap: true in production mode. Vite defaults to false for production builds. Webpack depends on your devtool setting.
For any framework: After deploying, open DevTools in your browser, go to the Sources tab, and look for your original file structure. If you see .tsx or .ts files with readable source code, source maps are being served.
You can also check directly:
# Pick any JS bundle from your site and append .map
curl -sS -o /dev/null -w "%{http_code}" https://yoursite.com/_next/static/chunks/main-abc123.js.map
# 200 = source maps are public. 404 = you're fine.
Why Cal.com does it (and why you probably shouldn't)
Cal.com likely has productionBrowserSourceMaps: true for debugging purposes. When you're running a large open-source project with many contributors, being able to debug production issues quickly has real value. And since their code is already open-source on GitHub, the exposure argument is weaker.