Why this matters
Public source maps leak implementation details and ease reverse engineering.
Do not expose full, unminified source maps publicly in production. If source maps are required for error tracking, serve them behind authentication or IP allowlists and set "X-Robots-Tag: noindex".
Public source maps leak implementation details and ease reverse engineering.
Side-by-side examples engineers can pattern-match during review.
GET /assets/app.9c1a7b.js.map
200 OK
/ world-readable source map /GET /assets/app.9c1a7b.js.map
401 Unauthorized
X-Robots-Tag: noindex
/ gated source map access /X-Robots-Tag: noindex/ serve .map publicly /From the same buckets as this rule.
All static JS/CSS/font/image files MUST use content-hashed filenames (e.g., app.9c1a7b.js) and be served with "Cache-Control: public, max-age=31536000, immutable". HTML and other non-fingerprinted documents MUST be served with "Cache-Control: no-cache" (or equivalent) to enable conditional revalidation.
Serve text-based assets (JS, CSS, JSON, SVG) with Brotli (br) when the client sends "Accept-Encoding: br" and fallback to gzip. Always set "Vary: Accept-Encoding" and do NOT compress already-compressed formats (e.g., .png, .jpg, .woff2).