no-unsafe-server-options
Disallow Vite server and preview options that weaken host, origin, or filesystem protections.
Rule catalog ID: R011
Targeted pattern scopeโ
vite.config.*vitest.config.*when Vite server options are shared thereserver.*andpreview.*config branches
What this rule reportsโ
This rule reports high-risk boolean shortcuts such as:
server.allowedHosts: truepreview.allowedHosts: trueserver.cors: truepreview.cors: trueserver.fs.strict: false
Why this rule existsโ
Vite's server settings include security-sensitive shortcuts that are convenient during local experiments but risky when they become committed defaults.
Wildcard hosts, fully open CORS, and a disabled filesystem sandbox make it easier to expose source code or unexpected files during development and preview.
โ Incorrectโ
import { defineConfig } from "vite";
export default defineConfig({
preview: {
allowedHosts: true,
cors: true,
},
server: {
allowedHosts: true,
cors: true,
fs: {
strict: false,
},
},
});
โ Correctโ
import { defineConfig } from "vite";
export default defineConfig({
preview: {
allowedHosts: ["preview.internal.example.com"],
cors: {
origin: ["https://preview.internal.example.com"],
},
},
server: {
allowedHosts: ["app.internal.example.com"],
cors: {
origin: /^https?:\/\/(localhost|127\.0\.0\.1)(?::\d+)?$/,
},
fs: {
allow: [".."],
strict: true,
},
},
});
Behavior and migration notesโ
- prefer explicit allowlists over
truefor both hosts and CORS - keep
server.fs.strictenabled and expandserver.fs.allowdeliberately when a monorepo or sibling package needs access - this rule focuses on documented Vite safeguards, not every possible networking preference
ESLint flat config exampleโ
import vite from "@typpi/eslint-plugin-vite";
export default [vite.configs.configs, vite.configs.strict];
When not to use itโ
Disable this rule only if your project intentionally accepts these broader attack surfaces in committed config and your team has reviewed that tradeoff.