I'm using UglifyJS to minify and uglify my sources, and Sentry to report errors from my production environment.
In order to get errors from Sentry, in a readable manner, I need to add source-map
Is it safe to do it in production servers, or the source-maps files should only exist on staging environment?
Is there a way to secure them on production environment?
On
Searching for a possible solution to this, and if someone is not specifically using Sentry, I got to this blog post (ironically a Sentry blog post):
https://blog.sentry.io/2015/10/29/debuggable-javascript-with-source-maps.html
Where there is an interesting idea: "private source maps". It implies generating the source maps in someplace that is not accessible from the internet (such as your company VPN), so only you or your team can access the source maps files.
Quoting the "Private Source Maps" section of the post:
[...] all of our examples assume that your source maps are publicly available, and served from the same server as your executing JavaScript code. In which case, any developer can use them to obtain your original source code.
To prevent this, instead of providing a publicly-accessible sourceMappingURL, you can instead serve your source maps from a server that is only accessible to your development team. For example, a server that is only reachable from your company’s VPN.
//# sourceMappingURL: http://company.intranet/app/static/app.min.js.map
When a non-team member visits your application with developer tools open, they will attempt to download this source map but get a 404 (or 403) HTTP error, and the source map will not be applied.
Seems like a good idea to me!
Your primary concerns will be "is it ok if the user has my source code?" Usually it is fine, as users can deobfuscate things anyways.
That said, if you're using Sentry, you can actually use the releases API to avoid this problem. You'll still need to generate the artifacts, and set URLs (or something that the API can handle), but you don't have to expose them to the internet.