Vercel gates source maps behind authentication

Vercel has rolled out Protected Source Maps, restricting access to .map files behind Vercel Authentication [Vercel Changelog]. Only users with explicit deployment access can retrieve source maps, blocking public exposure of original source code in production environments.

Source maps are routinely uploaded to production to aid debugging but are often left publicly accessible — a practice that exposes application logic, file paths, and third-party dependencies to attackers. With this update, Vercel ensures that source maps are no longer served to unauthenticated users, closing a long-standing security blind spot in the frontend toolchain.

The feature applies automatically to deployments on Pro and Enterprise plans when authentication is configured. Developers no longer need to manually strip or block .map files in production, reducing reliance on custom middleware or post-processing scripts to mitigate leakage.

This move shifts responsibility from developers to the platform, aligning with broader industry efforts to secure build artifacts by default. While competitors like Netlify and Cloudflare offer similar controls through rules or redirects, Vercel integrates the protection natively into its authentication layer, tightening the link between deployment access and debugging privileges [Vercel Changelog].