How to stop exposing source code of react in developer tools of browser?

Asked 21/11, 2019 at 7:1 Answered 19/4, 2023 at 18:16

Solved reactjs asp.net-core google-developer-tools

I'm developing project in ASP.NET Core and React. In testing, I came across one big security issue. Source files of react get expose in google developer tools. I have tried to remove webpack source maps but that thing didn't work for me and the reason is they have not mentioned in which webpack folder do we need to make change as there are 6 folder containing webpack. I'm new to this stack and not getting how to deal with this flaw. How can I fix this issue?

Sander answered 21/11, 2019 at 7:1 Comment(12)

All clientside code is exposed. Treat it so, there is no remedy for that. Keep any secrets serverside. – Eclipse 21/11, 2019 at 7:3

Well, you can't just remove the code from the browser, the browser needs the code to be there. You need to mangle, minify, and bundle your code. And as @Eclipse said, any secrets should be on the server. – Digester 21/11, 2019 at 7:4

@Baruch: Mangling, minifying and bundling can be reversed (except for local variable names). One should not depend on security through obscurity. Anyone moderately determined and competent will not be defeated by minification. – Eclipse 21/11, 2019 at 7:5

@Eclipse Yes clientside code gets expose but lots of logic resides in client code including information about cookies, values stored in localstorage and the logic of how those values are mapped is also resides in that code and exposing complete file would be big threat – Sander 21/11, 2019 at 7:11

@Digester Minification code can be reversed. – Sander 21/11, 2019 at 7:11

Then rethink what you want to put into cookies and localsorage, and move the logic to the server. There is no way to secure the clientside info. Everything your browser knows, the user of the browser can know as well. – Eclipse 21/11, 2019 at 7:12

@Eclipse Does removing sourcemaps would work? – Sander 21/11, 2019 at 7:13

No. This is not a matter of source maps, nor is it particular to React — it is the fact of life in any client-server architecture. Never tell the client anything you're not willing for the client user to know. E.g. one might ask "why do they allow hacking in League of Legends / Dark Souls / <any online game>", but the game is a client, and a sufficiently determined hacker can always subvert it. The only way to be secure is keeping your secrets in the server. – Eclipse 21/11, 2019 at 7:14

Your production build will not show the codings in developer tools. You can configure those in webpack – Thetos 21/11, 2019 at 7:24

@karthikvishnukumar how can I do that? – Sander 21/11, 2019 at 7:30

Take a look at this link webpack.js.org/guides/production – Thetos 21/11, 2019 at 7:38

My guess is that you don't include source maps when you publish your app with release config. Everyone telling you you should mess with webpack config must have missed that you have an asp.net app. Without sourcemaps the browser still has all your code so you should not store secret information in JavaScript; with or without minification or source maps. – Telescopy 21/11, 2019 at 8:56

Its very easy and its possible to hide complete source code which gets expose to end user in developer tools. You need to update package.json file from ClientApp folder.

Before updation

    "scripts": {
    "start": "react-scripts start",
    "build": "react-scripts build",    //UPDATE THIS LINE
    "test": "react-scripts test --env=jsdom",
    "eject": "react-scripts eject"
    }

You need to use following code instead of above code:

After updation

    "scripts": {
    "start": "react-scripts start",
    "build": "rimraf ./build && react-scripts build && rimraf ./build/**/*.map",
    "test": "react-scripts test --env=jsdom",
    "eject": "react-scripts eject"
    }

Above code worked for me. This thread helped me in achieving my goal. For more details you can check that as well.

Sander answered 21/11, 2019 at 13:22 Comment(0)

I had the same issue. This is how I fixed it. Create a file called .env in the src folder then add this code GENERATE_SOURCEMAP=false. Then run npm run build or yarn run build. This solved the issue for me

Blume answered 30/9, 2021 at 19:57 Comment(0)

You don't have to add new files to the project or remove .map files; you can also just set the environment variable GENERATE_SOURCEMAP to false either manually or by adding it to package.json before the build command:

Modifying package.json

Before:

  "scripts": {
    ...
    "build": "react-scripts build",
    ...
  },

After:

  "scripts": {
    ...
    "build": "GENERATE_SOURCEMAP=false react-scripts build",
    ...
  },

Manually

Run export GENERATE_SOURCEMAP=false before building in the same terminal.

Flense answered 19/4, 2023 at 18:16 Comment(1)

This one works for me nicely and it is simple enough, thanks. – Bryantbryanty 29/4 at 0:33

if you are using craco to build your project, use this

"scripts": {
    "start": "craco start",
    "build": "rimraf ./build && craco build && rimraf ./build/**/*.map",
  }

Hope this helps

Palanquin answered 19/8, 2022 at 7:32 Comment(0)

You can never hide your code on the browser. The best you can do is obfuscate your code. Here is a very useful video that explains your concern: https://www.youtube.com/watch?v=hOtZhNb4TKg
Also, use this as your reference: https://reactjs.org/docs/optimizing-performance.html#use-the-production-build

The crux of the above video is to keep your business logic and secrets on the server which is always secure.

Cavity answered 21/11, 2019 at 7:14 Comment(1)

Thank you for the video and link. I've seen that video which is saying what I'm asking is impossible. Better to keep secret code at server side is what that video saying. I'll check that documentation as well. – Sander 21/11, 2019 at 7:32

Recommended topics

Hot tags