docs/config/browser/api.md
number | object63315--browser.api=63315, --browser.api.port=1234, --browser.api.host=example.comConfigure options for Vite server that serves code in the browser. Does not affect test.api option. By default, Vitest assigns port 63315 to avoid conflicts with the development server, allowing you to run both in parallel.
booleantrue if not exposed to the network, false otherwiseVitest saves annotation attachments, artifacts and snapshots by receiving a WebSocket connection from the browser. This allows anyone who can connect to the API write any arbitrary code on your machine within the root of your project (configured by fs.allow). This option also gates privileged browser APIs that can write files indirectly, such as raw Chrome DevTools Protocol access through cdp().
If browser server is not exposed to the internet (the host is localhost), this should not be a problem, so the default value in that case is true. If you override the host, Vitest will set allowWrite to false by default to prevent potentially harmful writes.
booleantrue if not exposed to the network, false otherwiseAllows running any test file via the UI. This applies to the interactive elements (and the server code behind them) in the UI that can run the code. This option also gates privileged browser APIs that can execute code indirectly, such as raw Chrome DevTools Protocol access through cdp(). See api.allowExec for more information.