Information Disclosure via SourceMap Header

Description

The 'SourceMap' header (or 'X-SourceMap') often points to a source map file for JavaScript, enabling developers to debug production code by mapping compiled or minified files back to their original source. However, when these source maps are publicly accessible, attackers can gain deep insights into the application's structure, logic, and possibly even sensitive logic or API endpoints. This can facilitate reverse engineering, discovery of hardcoded secrets, or revealing internal project paths. Ultimately, publicly exposed source maps lower the barrier for potential attackers to locate vulnerabilities in your frontend code, leading to more effective exploitation strategies.

Remediation

Remove or restrict access to the source map files in production environments. Configure your build pipeline to exclude source maps from public-facing directories, or place them behind authentication if they're needed for debugging. If you still require source maps for monitoring or error reporting services, consider using tools or services that securely store them without exposing them to end users. Additionally, use a Web Application Firewall (WAF) or intrusion detection system to block suspicious requests probing for '.map' files. Regularly review your deployment pipeline to ensure source maps are not leaked inadvertently, and maintain secure coding practices to minimize sensitive data in front-end code.

References

Severity

Owasp

Code: A05:2021

Category: Security Misconfiguration

Classification