FixVibe

// secrets / spotlight

Exposed Source Maps

If your .map files are public, the attacker is reading your TypeScript.

Il gancio

Source maps are designed to be discoverable — that's the whole point. When the developer opens devtools, the browser fetches the `.map` file pointed at by the bundle's `sourceMappingURL` comment and remaps minified stack traces back to original source. Wonderful in development, dangerous in production: the same `.map` file is fetchable by anyone with curl, and inside it sits your TypeScript, your component names, your internal comments, your API path constants, and any string that survived minification by being in a non-minified code path. Public bug bounty programs are full of source-map-leak findings; companies as large as Twitter and Google have shipped them at various points.

Come funziona

Modern bundlers (Webpack, Vite, esbuild, Next.js, Rollup) emit a comment at the end of each minified bundle: `//# sourceMappingURL=main.abc123.js.map`. Browsers honor this only when devtools is open, but anyone can fetch the URL directly. The `.map` file is JSON containing your original source files keyed by path, plus mapping data that lets a tool reconstruct exactly what you wrote. Tools like webcrack, source-map-explorer, and shujisr automate the reconstruction — feed them a public bundle and a public map and they output your repo structure as plain TypeScript or JavaScript. Even without the map URL, some bundlers leak via `.map` files that ship without the comment but live at predictable paths.

Le varianti

Inline sourceMappingURL

The comment at the bundle's end points at a .map file. Most common shape; most easily exploited.

Predictable .map paths

Even without the comment, bundlers ship .map files alongside .js files at the same path. `main.abc123.js` => `main.abc123.js.map`. Probing for the .map directly works.

Inlined data: URI source map

The map is base64-encoded inline at the end of the bundle (`sourceMappingURL=data:application/json;base64,...`). Same data, slightly less obvious to humans, equally useful to tools.

Il raggio d'azione

Reveals internal API routes (your component code referenced `/api/admin/users` even though the route never appeared in the rendered HTML), comment-marked TODOs and FIXMEs that read like an attacker's wishlist, internal naming conventions, third-party API keys that survived minification because they were imported from a string constant, and the entire shape of your client logic. Every reverse-engineering task the attacker would otherwise have to do becomes a quick read.

// cosa controlla fixvibe

Cosa controlla FixVibe

FixVibe checks shipped client assets for high-confidence secret exposure signals and known credential formats. Reports identify the affected asset and rotation path. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.

Difese a prova di bomba

Emit source maps only for trusted error trackers and strip the discovery comment from the production bundle. Most bundlers support 'hidden' source maps — Webpack's `devtool: 'hidden-source-map'`, Vite's `build.sourcemap: 'hidden'`, Next.js's `productionBrowserSourceMaps: false` (default; or `'hidden'` if you ship them to Sentry). Upload the maps to your error tracker (Sentry's CLI, Bugsnag, Rollbar) at deploy time so stack-trace symbolication still works internally. If you genuinely need public source maps for some reason (rare), at least ensure the bundle itself contains no secrets — the rotate-everything-that-shipped principle applies. As a final layer, configure your CDN to refuse requests for `.map` files unless coming from your own dev tooling IPs.

// run it on your own app

Continua a spedire mentre FixVibe vigila per te.

FixVibe mette sotto pressione la superficie pubblica della tua app come farebbe un attaccante — senza agent, senza installazione, senza carta. Continuiamo a studiare nuovi pattern di vulnerabilità e li trasformiamo in controlli pratici e fix pronti da incollare in Cursor, Claude e Copilot.

Secrets
39
test eseguiti in questa categoria
modules
5
controlli dedicati a secrets
ogni scansione
487+
test su tutte le categorie
  • Gratis — senza carta di credito, senza installazione, senza ping su Slack
  • Incolla un URL — pensiamo noi a crawl, sonde e report
  • Risultati classificati in base alla gravità, deduplicati solo per segnalare
  • AI-ready prompts where code applies, plus operator steps for DNS/provider fixes
Esegui una scansione gratuita

// latest checks · practical fixes · ship with confidence

Exposed Source Maps — Vulnerabilità in primo piano | FixVibe · FixVibe