vibeblame
Guides

How to disable source maps in production

Source maps expose your original source code to anyone. Learn how to disable them for Next.js, Vite, CRA, Astro, Vue (Nuxt), Angular, and WordPress.

What are source maps and why are they dangerous

Source maps are .map files that map minified JavaScript back to your original source code. They exist to make debugging easier — but they also let anyone read your original code directly in DevTools.

If source maps are publicly accessible, an attacker can read your original business logic, find hardcoded secrets faster, and understand your app structure to spot vulnerabilities.

How to check: DevTools -> Sources tab. If you see original .tsx / .ts / .js files instead of minified code — source maps are exposed.

Next.js

productionBrowserSourceMaps defaults to false, but sometimes gets enabled explicitly.

// next.config.js
const nextConfig = {
  productionBrowserSourceMaps: false,
}
module.exports = nextConfig

Verify after deploying:

curl -I https://yoursite.com/_next/static/chunks/main.js.map
# Should return 404

Vite

// vite.config.js
export default defineConfig({
  build: {
    sourcemap: false, // default for production, but worth making explicit
  },
})

Create React App (CRA)

Add to .env.production:

GENERATE_SOURCEMAP=false

Or pass it at build time:

GENERATE_SOURCEMAP=false npm run build

Astro

Source maps are disabled by default in Astro production builds. If you added a Vite plugin that enables them, remove it:

// astro.config.mjs
export default defineConfig({
  vite: {
    build: {
      sourcemap: false, // ensure no plugin has set this to true
    },
  },
})

Vue (Nuxt)

Nuxt 3 uses Vite under the hood — source maps are off in production by default. To make it explicit:

// nuxt.config.ts
export default defineNuxtConfig({
  vite: {
    build: {
      sourcemap: false,
    },
  },
})

For Nuxt 2 (webpack-based):

// nuxt.config.js
export default {
  build: {
    extend(config, { isDev }) {
      if (!isDev) {
        config.devtool = false
      }
    },
  },
}

Verify:

npm run build
ls .output/public/_nuxt/*.map
# Should return nothing

Angular

In angular.json, find the production configuration and set sourceMap to false:

{
  "projects": {
    "your-app": {
      "architect": {
        "build": {
          "configurations": {
            "production": {
              "sourceMap": false
            }
          }
        }
      }
    }
  }
}

Or pass the flag directly via CLI:

ng build --configuration production --no-source-map

Verify:

ls dist/your-app/browser/*.map
# Should return nothing

WordPress

WordPress itself does not generate source maps. The risk comes from your theme or build tooling.

If your theme uses webpack, Vite, or a similar bundler — check its config and apply the same rules as above.

If you're using a pre-built theme with compiled assets, check whether the developer left .map files in the package. You can block access to them in .htaccess:

# .htaccess
<FilesMatch "\.map$">
  Require all denied
</FilesMatch>

Or via Nginx:

location ~* \.map$ {
  deny all;
  return 404;
}

Tilda

Tilda does not expose source maps. The platform compiles and serves its own JS — you have no control over it and no access to map files. This issue does not apply to Tilda sites.

webpack

// webpack.config.js
module.exports = {
  devtool: false,
}

Verify after deploying

Open your site in the browser. DevTools -> Sources — you should see only minified files. Try requesting a .map file directly — it should return 404.

Or run vibeblame again — the issue should be resolved.

← All guidesScan a site
How to disable source maps in production | vibeblame