|
| 1 | +# Source Maps |
| 2 | + |
| 3 | +Date: 2023-06-14 |
| 4 | + |
| 5 | +Status: accepted |
| 6 | + |
| 7 | +## Context |
| 8 | + |
| 9 | +If you're unfamiliar with source maps, check out |
| 10 | +[What are source maps?](https://web.dev/source-maps/) on web.dev. |
| 11 | + |
| 12 | +For anyone familiar with source maps, it's pretty obvious that you do want these |
| 13 | +in production for debugging purposes (read |
| 14 | +[Should I Use Source Maps in Production? ](https://css-tricks.com/should-i-use-source-maps-in-production/)). |
| 15 | +However, when you enable source maps with Remix, you get a warning that looks |
| 16 | +like this: |
| 17 | + |
| 18 | +``` |
| 19 | +> remix build --sourcemap |
| 20 | +
|
| 21 | +Building Remix app in production mode... |
| 22 | +
|
| 23 | +⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️ |
| 24 | +You have enabled source maps in production. This will make your server-side code visible to the public and is highly discouraged! If you insist, please ensure you are using environment variables for secrets and not hard-coding them into your source! |
| 25 | +⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️ |
| 26 | +``` |
| 27 | + |
| 28 | +It's pretty well understood that source maps allow your code to be visible to |
| 29 | +the public and yet it's still pretty well understood that's fine because |
| 30 | +client-side apps send the code anyway and that can typically be reverse |
| 31 | +engineered (especially with the help of modern AI tools as well). |
| 32 | + |
| 33 | +The reason it's a special concern for some frameworks like Remix today is |
| 34 | +because the source maps for the client-side code include some of the server-side |
| 35 | +code as well. This is because Remix and other frameworks like it have the |
| 36 | +ability for you to write your server code in the same file as your browser code. |
| 37 | + |
| 38 | +The ability for the public to view your server-side code understandably raises |
| 39 | +some concerns for folks. This is especially dangerous if you have secrets |
| 40 | +hard-coded into your server-side code. Additionally, if you're exercising |
| 41 | +"security through obscurity" then you may be vulnerable to attacks if your |
| 42 | +server-side code is visible. |
| 43 | + |
| 44 | +On the flip side, you really shouldn't be hard-coding secrets into your |
| 45 | +server-side code anyway. You should be using environment variables for that. |
| 46 | +Additionally, if you're relying on "security through obscurity" then you're |
| 47 | +probably not as secure as you think you are. |
| 48 | + |
| 49 | +Also, source maps are necessary for error monitoring with tools like Sentry. |
| 50 | +Without source maps, you'll only see the minified code in your error monitoring |
| 51 | +tools. This makes it much harder to debug errors in production. And if you're |
| 52 | +debugging your application in production you'll also be limited to minified code |
| 53 | +as well. |
| 54 | + |
| 55 | +It may be possible to generate the source maps and make them available to |
| 56 | +Sentry, but then prevent them from being sent to the client. More research is |
| 57 | +needed to determine whether this is possible. |
| 58 | + |
| 59 | +## Decision |
| 60 | + |
| 61 | +We've decided to enable source maps in production by default. This will allow |
| 62 | +for better error monitoring and debugging in production. It will also allow for |
| 63 | +easier debugging of server-side code in production. |
| 64 | + |
| 65 | +## Consequences |
| 66 | + |
| 67 | +Developers using the Epic Stack will see an warning message during the build and |
| 68 | +if they don't practice good secret "hygiene" they may be vulnerable to attacks. |
| 69 | +So we'll add documentation explaining how to properly use environment variables |
| 70 | +for secrets and not hard-code them into your source code. |
0 commit comments