Do not leak your codebase in private projects
#security#react#web#bundling
Carlos Galarza

Carlos Galarza @carloslfu

About: Founder at CodePortal. I love programming languages, OSS, and tech! 👨🏽‍💻

Location:
Planet Earth
Joined:
Jan 31, 2018

Do not leak your codebase in private projects

Publish Date: Sep 12 '18
15 3

Sometimes tech people forget to disable source-maps in production, especially when using the create-react-app project.

This might sound too basic, but I've looked this mistake so many times in private production projects.

TL&DR ... not really, this is a very small article

The create-react-app build command is not production ready, before publishing your project you should remove source-maps. However, this applies to any private web project, so, be careful and take a look at your production code maybe you are leaking the whole codebase.

Related issue: https://github.com/facebook/create-react-app/issues/2005

Comments 3 total

  • Cristian Pallarés
    Cristian PallarésSep 13, 2018

    I guess it just depends on the nature of your app. Javascript source code is easily beautified back again (without any sourcemap), so maybe isn't even worth removing them. Having the sourcemaps available improves Sentry reports, for example.

    • Felicitas Pojtinger
      Felicitas PojtingerSep 13, 2018

      Also, it respects your user's freedom. And it makes reporting bugs by a casual dev much simpler ;)

    • Carlos Galarza
      Carlos GalarzaSep 14, 2018

      I agree, there is no such thing as full-security, neither in frontend nor your backend systems. What really makes the difference is the number of layers you have, but systems always can be broken. So not leaking your codebase in a readable manner is another security layer you can have. From a developer perspective, the real value of a codebase is the time you put in organize, name things (a hard part), give structure and meaning to your code, not so much the code itself as a sequence of statements. So, if your code is readable and understandable, is also easy to reuse and then it becomes a business concern because if you leak this type of code, anyone can copy & paste and reuse your components and I think business people are going to be not so happy about this. I think for this reason companies like Facebook do not leak his code in this way if they want to share those valuable assets they do it in a way they can gain some value and do not lose some competitive advantage.

Add comment