Pages Functions sourcemaps are public - how to disable?

For Workes & Pages, what is the name of the domain?

example.com

What is the issue or error you’re encountering

The sourcemap for my server-side Pages Functions is uploaded and is accessible at domain.com/_worker.js.map. This reveals the server-side source code for my Pages Functions, which is a security issue.

What steps have you taken to resolve the issue?

I’m developing a site with SvelteKit adapter-cloudflare.

I noticed the sourcemap for my server-side Pages Functions is uploaded and is accessible at domain.com/_worker.js.map. This reveals the server-side source code for my Pages Functions, which is a security issue.

How do I disable this behaviour? Either by not producing server-side sourcemaps at all, or not making them publicly accessible. (_worker.js is not publicly accessible, but _worker.js.map is).

I tried setting upload_source_maps = false in wrangler.toml but that has no effect. The project is built and deployed by Cloudflare on their servers on every push to github.

This appears to be fixed by removing the routes key from svelte.config.js.

/** @type {import('@sveltejs/kit').Config} */
const config = {
    preprocess: vitePreprocess(),
    kit: {
        adapter: adapter({
            // routes: {
            //     include: ["/api/*"],
            //     exclude: ["<all>"],
            // },
            fallback: "spa",
            platformProxy: {
                configPath: "wrangler.toml",
                environment: undefined,
                experimentalJsonConfig: false,
                persist: true,
            },
        }),
    },
}

export default config

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.