Your team enabled full source maps on the production bundle so on-call can debug live errors, and a security reviewer flagged it. How do you weigh the observability benefit against the security concern, and what would you actually ship?

technical-conceptual · Senior level · software-engineering

What the interviewer is really asking

Assesses whether the candidate can navigate a real build-configuration trade-off between debuggability and exposure, landing on a concrete configuration rather than an absolute yes/no.

What to say

What to avoid

Example answers

Strong: Both sides are right, so I wouldn't pick one. Source maps make our error tool show real stack traces, which on-call genuinely needs. But serving them publicly exposes our whole source, and that's bitten companies when a stray .map file leaked. I'd generate hidden source maps so there's no comment pointing the browser at them, upload them privately to our monitoring provider, and make sure the build never deploys .map files to the public bucket so they can't be guessed and fetched.

Weak: Source maps are needed for debugging in production, so we should just keep them on. If security is worried we can revisit later, but on-call comes first and a leaked map isn't that big a deal.

Want questions matched to your role? Paste a job title, job description, or CV and get a personalized set, or go Pro to unlock the full bank.