Production source maps ship your un-minified source — original variable names, inline comments, file structure, sometimes hardcoded dev-only debug URLs — to anyone who opens browser devtools. That turns reverse-engineering your auth flow, rate-limit bypass logic, or feature-flag gating from a 4-hour exercise into a 4-minute read. AI coding tools commonly enable productionBrowserSourceMaps: true because a tutorial or error-monitoring setup guide told them to, without explaining that the maps should be uploaded to Sentry/Datadog out-of-band rather than served on the public CDN. The .map files aren't automatically linked from HTML, but their URLs are deterministic (/static/js/chunk.abc.js.map) and the browser fetches them automatically when devtools opens.
Low because leaked source maps accelerate reconnaissance but don't directly grant access — they harden the difficulty of attacks that would need to find the same logic through other means.
Set productionBrowserSourceMaps: false (or remove the line) in next.config.js. For Vite, set build: { sourcemap: false }. Upload maps to your error monitor via their CLI instead.
Deeper remediation guidance and cross-reference coverage for this check lives in the data-protection Pro audit — run that after applying this fix for a more exhaustive pass on the same topic.
project-snapshot.data-exposure.no-source-maps-in-prodlowproductionBrowserSourceMaps in next.config.*. Vite: build.sourcemap in vite.config.*. Webpack: devtool setting. Also look for .map files in public/, dist/, build/, or .next/static/.productionBrowserSourceMaps: true), or .map files exist in shippable directories."Source maps disabled in production build (config: productionBrowserSourceMaps not set / false).""next.config.js sets productionBrowserSourceMaps: true; .js.map files would ship to production".productionBrowserSourceMaps: false (or remove the line) in next.config.js. For Vite, set build: { sourcemap: false }. Upload maps to your error monitor via their CLI instead.