[prawks]

I often hear people point to security as a reason to avoid shipping sourcemaps in Production, but it seems like such a non-issue given that anyone can unminify the code shipped out to their browsers. What kinds of secrets are able to be hidden via obfuscation? The answer traditionally is "none" so I'm pretty consistently baffled. We do strip comments explicitly so that devs don't need to be as concerned with exposing anything that way, but aside from that I don't really understand this angle.

[fny]

Ah, good ol' security via obscurity. I bet they don't want you to know about `var SUPER_SECRET_ENCRYPTION_KEY = ` or the inner workings of some crappy client DRM.

The only case where I'd think it makes any sense is for protecting programming work from simple replication. While it isn't particularly hard to break client-side security bogus, its difficult to turn a minified mess into comprehensible code.

[paulddraper]

> What kinds of secrets are able to be hidden via obfuscation?

Source code is very effectively hidden by obfuscation.

If that were not true, GNU and open-source and GPL would not exist.

---

Regardless, another important thing is not to download source maps onto client's machines, as that defeats the whole point of minification.

Decoding stack traces server-side dedups work and doesn't impose an unnecessary performance burden on users.

[WorldMaker]

> Regardless, another important thing is not to download source maps onto client's machines, as that defeats the whole point of minification.

Browsers don't download source map files unless the developer tools are opened. If your client is using your app with the dev tools open you may have other problems that have nothing to do with performance.