if we’re talking about a personal website nobody will care. if you are a multibillion company and there’s the risk that literally anyone can create a 1:1 clone of your services… yeah that’s a bit of a trouble
That’s the thing, it’s not actually a security measure. Security through obscurity is not security. It can provide false security impression that is more harmful in my opinion.
Having source maps can encourage proper security practices. Which, in my books, very much outweighs any security benefits of hiding them.
no it doesn’t, and I am very aware that if anything runs on someone’s computer then it can get replicated.
but it gets slightly harder, also to reverse-engineer it or find potential fallacies.
as well as source maps on prod are just a waste of bandwidth
Open source code is usually quite nice and well done because money pressure is way less of an issue and everyone knows people will be looking at your code
Also what I’ve heard from open-source project maintainers, once a project gets popular, the flood of feature requests is neverending. (Something I’m sure I contributed to over the years 🫣) And especially in cases of feature requests with niche usefulness or mismatching vision, they can sap developer morale.
Security through obscurity is not security. I see no reason why source maps should be unavailable.
depends.
if we’re talking about a personal website nobody will care. if you are a multibillion company and there’s the risk that literally anyone can create a 1:1 clone of your services… yeah that’s a bit of a trouble
Omitting source maps doesn’t prevent that.
No, but it’s a sensible security measure. Anything to make it harder.
That’s the thing, it’s not actually a security measure. Security through obscurity is not security. It can provide false security impression that is more harmful in my opinion.
Having source maps can encourage proper security practices. Which, in my books, very much outweighs any security benefits of hiding them.
no it doesn’t, and I am very aware that if anything runs on someone’s computer then it can get replicated. but it gets slightly harder, also to reverse-engineer it or find potential fallacies. as well as source maps on prod are just a waste of bandwidth
Dunno, this “harder” argument while valid sounds just like false security. That’s why I don’t see much weight in it.
As for bandwidth, source maps are not automatically pulled from server, so it also seems like a false issue to me.
Because source maps show how shitty your organization’s code and overall engineering practices are.
Ding ding ding
Open source code is usually quite nice and well done because money pressure is way less of an issue and everyone knows people will be looking at your code
If you look at the casual code that I have shamelessly made public on my GitLab, that might change your mind on that.
That’s probably also why development is usually really slow and most maintainers can’t keep up/give up.
Nope, it is simply because they are overwhelmed. Either it’s too much work to do after your day job or just too much work for one person.
Also what I’ve heard from open-source project maintainers, once a project gets popular, the flood of feature requests is neverending. (Something I’m sure I contributed to over the years 🫣) And especially in cases of feature requests with niche usefulness or mismatching vision, they can sap developer morale.