feature insight

Vercel puts production source maps behind authentication with Protected Source Maps

Vercel launched Protected Source Maps so browser `.map` files return 404 to the public while staying available to authenticated team members. The feature is enabled by default for new projects and can be turned on for existing ones without redeploying.

Published May 14, 2026 Updated May 16, 2026 1 sources

VercelProtected Source Mapssecuritysecurity featuremedium impact

securitydeveloper-platformssource-mapssecurity feature

Impact: medium
Confidence: 95%
Change type: security feature
First seen: May 14, 2026
Last updated: May 16, 2026
Audience: security-teamsfrontend-teamsplatform-engineers
Status: Published

Summary

Vercel launched Protected Source Maps so browser .map files return 404 to the public while staying available to authenticated team members. The feature is enabled by default for new projects and can be turned on for existing ones without redeploying.

What changed

Vercel introduced Protected Source Maps to restrict production browser source maps to authenticated team access.

Why it matters

This reduces a common exposure point where source maps aid debugging but also reveal readable production code. Shipping it as a platform default suggests source-map protection is becoming baseline hygiene.

Evidence excerpt

Vercel says Protected Source Maps put browser .map files behind authentication, with new projects enabled by default.

Sources

vercel.com