Production browser source maps enabled
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.
What it detects
productionBrowserSourceMaps: true publishes readable source maps for the client bundle to production, exposing your original source, comments, and internal structure to anyone who opens dev tools.
Why it matters
productionBrowserSourceMaps: true ships full source maps for the client bundle to production. Anyone can open dev tools and read your original, unminified source, including comments, internal names, and the structure of any client-side logic you assumed was obfuscated. It also increases the bytes served.
How to fix it
Remove productionBrowserSourceMaps (it defaults to false) so maps are not published. If you need source maps for error monitoring, upload them privately to your error tracker (Sentry and similar tools support this) instead of serving them from the site.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo