Privacy / security question: should css source maps be included in the public directory, since they can surface local dev paths?

Hi there,

Am new to the Hugo community, I’ve been enjoying the framework immensely so far. Am very thankful that it exists!

After publishing my first static site, I was surprised to see that a file, /public/ had been deployed, listing the absolute path to my project in the dev environment under the key sourceRoot. For example, a value like /home/fancy-system-username/hugo-project gets printed there.

Generally, it seems like a potential privacy and / or security concern to be able to see information about the local development file system on the web.

I don’t often work on the front end of things, and did some digging into what is, since I’m not familiar with it. According to sass documentation, it appears this file is typically used for development debugging.

If it only serves a debugging function, then should “*” be filtered from the public directory entirely, since a developer may inadvertently publish their local dev path to the project? Or perhaps filtered out when running hugo deploy?

ignore .map

1 Like

Yes, and I think it’s a common pattern to do something like this in your templates:

$options := (dict "targetPath" "style.css"  "enableSourceMap" (eq hugo.Environment "development")
1 Like