Source Map Checker
Check any public website for exposed JavaScript source maps and debug artefacts that could leak source code.
Speed up your recruitment workflow
URLCV automates CV parsing, candidate scoring, and shortlist generation — so you can place more candidates, faster.
JavaScript Security Check
Check for exposed source maps and debug artefacts
Enter a URL to scan its JavaScript assets for source map references, accessible .map files,
and other debug clues that could expose your original source code.
- Checks the first page load only — JS loaded dynamically or behind auth is not scanned.
- Up to 30 script assets are checked per scan.
- Some sites may block automated requests — a missing result does not mean the asset is safe.
- This is a lightweight public check, not a full security assessment or penetration test.
A clear list of exposed source maps, debug artefacts, and path leaks with evidence.
Exposed source maps let anyone reconstruct your original code, see internal paths, and find vulnerabilities.
Developers, security engineers, pentesters, agencies, and founders checking production sites.
Fetching page and checking JavaScript assets...
This usually takes 5–15 seconds depending on the number of scripts.
None of the JavaScript assets on this page appear to reference accessible source maps or contain obvious debug indicators.
- Remove or restrict access to .map files — configure your web server or CDN to block requests to
.mapfiles, or exclude them from your production build. - Strip sourceMappingURL comments — use your build tool's production config to remove
sourceMappingURLdirectives from bundled JS (e.g.devtool: falsein webpack). - Clean up path references — configure your bundler to strip or rewrite internal paths so local filesystem details are not exposed.
- Re-scan after changes — deploy your fix and run this check again to confirm the source maps are no longer accessible.
Enter a URL above to check for exposed source maps.
Works on any public HTTPS website.
Source Map Checker
Enter a URL to scan for exposed JavaScript source maps and related debug artefacts.
Source maps (.map files) are generated during build processes to help developers debug minified code. When left publicly accessible on production sites, they can expose your original source code, internal file paths, API endpoints, comments, and other sensitive information.
What this tool checks
- sourceMappingURL directives —
//# sourceMappingURL=...comments inside JavaScript files - Accessible
.mapfiles — whether the referenced source map files are publicly downloadable - Debug artefact clues — filenames containing
dev,debug,hot-update, or other build-time indicators - Path leakage — local file paths or webpack-style paths exposed in accessible source maps
- Source content exposure — whether full original source code is embedded inside source maps
Who this is for
- Developers checking their own production deploys
- Security engineers performing reconnaissance or hardening reviews
- Pentesters looking for exposed debug artefacts
- Agency teams auditing client websites
- Founders checking their site before launch