Source Map Revealer

Last updated:

Checks every loaded JavaScript file for sourceMappingURL references, fetches the .map files, and exposes the original unminified source code, complete file tree, internal directory structure, and developer comments. Source maps shipped to production are one of the most overlooked information leaks on the web.

Drag to your bookmarks bar:

🗺️ Reveal Source Maps
1
Install — drag to bookmarks bar
2
Visit any website
3
Click — checks every loaded JS file for leaked source maps

Runs on any website — all processing in your browser.

🗺️

Install the bookmarklet, then use it on any website

Source Map Revealer

Source maps are debugging files that map minified JavaScript back to its original source code. When shipped to production — which happens more often than developers realize — they expose the entire original codebase, internal file structure, developer comments, API routes, and business logic.

Why This Matters

Exposed source maps give attackers a complete view of the application architecture. They reveal internal paths, authentication logic, API integrations, third-party service configurations, and sometimes hardcoded credentials or API keys embedded in development comments.

sourceMappingURL
A comment at the end of minified JS files pointing to the .map file containing the original source code and file mapping.

🗺️ Source Map Revealer — FAQ

How common are leaked source maps?

Very common. Many build tools (webpack, Vite, Rollup) generate source maps by default, and developers often deploy them to production accidentally.

Can it read cross-origin source maps?

Only same-origin scripts and their source maps. Cross-origin scripts are blocked by the browser.

Is accessing source maps illegal?

Source maps served publicly are accessible to any browser. Discovering them is informational — using the code maliciously may have legal implications.

What should developers do?

Configure build tools to not generate source maps for production, or use tools like Sentry that upload source maps privately.

Does this modify anything on the site?

No — it only reads script files and fetches .map URLs. No data is modified or submitted.

JS CVE Scanner

Detect outdated JS libraries with CVEs.
🔌

API Discovery

Find hidden API endpoints in JavaScript.
💉

DOM XSS Scanner

Find XSS sinks and sources.
🛡️

Security Header Audit

Audit security headers.