Skip to main content
Playwright MCP is not a security boundary. Follow proper security practices when deploying.
See MCP Security Best Practices for comprehensive guidance on securing your MCP deployment.

Security Considerations

Network Access Control

Playwright MCP provides origin filtering to control which websites the browser can access. However, these controls do not serve as a security boundary.
Origin filtering does not serve as a security boundary and does not affect redirects.

Allowed Origins

Specify trusted origins the browser is allowed to request: 
{
  "mcpServers": {
    "playwright": {
      "command": "npx",
      "args": [
        "@playwright/mcp@latest",
        "--allowed-origins",
        "https://example.com:8080;http://localhost:*"
      ]
    }
  }
}
Supported formats:
  • Full origin: https://example.com:8080 - matches only that origin
  • Wildcard port: http://localhost:* - matches any port on localhost with http protocol

Blocked Origins

Specify origins to block. Blocklist is evaluated before allowlist: 
{
  "mcpServers": {
    "playwright": {
      "command": "npx",
      "args": [
        "@playwright/mcp@latest",
        "--blocked-origins",
        "https://malicious.com;https://tracking.com"
      ]
    }
  }
}
Origins matching both allowedOrigins and blockedOrigins will be blocked.

File System Access

By default, file system access is restricted to workspace root directories (or current working directory if no roots are configured). Navigation to file:// URLs is also blocked.

Unrestricted File Access

Only enable unrestricted file access in trusted environments.
To allow access to files outside workspace roots: 
{
  "mcpServers": {
    "playwright": {
      "command": "npx",
      "args": [
        "@playwright/mcp@latest",
        "--allow-unrestricted-file-access"
      ]
    }
  }
}
This also allows unrestricted access to file:// URLs.

Secrets Management

Secrets are used to prevent the LLM from getting sensitive data while automating scenarios such as authentication.
Prefer browser.contextOptions.storageState over secrets file as a more secure alternative.

Using Secrets File

{
  "mcpServers": {
    "playwright": {
      "command": "npx",
      "args": [
        "@playwright/mcp@latest",
        "--secrets",
        "path/to/secrets.env"
      ]
    }
  }
}
The secrets file should be in dotenv format: 
API_KEY=secret123
PASSWORD=mypassword

Host Validation

The server validates the Host header to prevent DNS rebinding attacks. By default, only the host the server is bound to is allowed.

Custom Allowed Hosts

{
  "mcpServers": {
    "playwright": {
      "command": "npx",
      "args": [
        "@playwright/mcp@latest",
        "--allowed-hosts",
        "example.com,localhost"
      ]
    }
  }
}
Pass '*' to disable the host check (not recommended in production).

Service Workers

Block service workers to prevent background script execution: 
{
  "mcpServers": {
    "playwright": {
      "command": "npx",
      "args": [
        "@playwright/mcp@latest",
        "--block-service-workers"
      ]
    }
  }
}

Isolation Strategies

Docker Isolation

For stronger isolation, run Playwright MCP in a Docker container. See the Docker guide for details.

Isolated Browser Contexts

Use isolated mode to ensure no persistent state between sessions: 
{
  "mcpServers": {
    "playwright": {
      "command": "npx",
      "args": [
        "@playwright/mcp@latest",
        "--isolated"
      ]
    }
  }
}

Sandbox Mode

Enable browser sandbox for additional process isolation: 
{
  "mcpServers": {
    "playwright": {
      "command": "npx",
      "args": [
        "@playwright/mcp@latest",
        "--sandbox"
      ]
    }
  }
}
In Docker environments, you may need to use --no-sandbox due to kernel restrictions.

Best Practices

Run Playwright MCP in a containerized environment to limit the blast radius of potential security issues.
Only enable --allow-unrestricted-file-access when absolutely necessary and in trusted environments.
Enable --isolated to ensure no persistent state between sessions when running untrusted automation.
Use storage state files instead of passing secrets directly. Store sensitive files outside the workspace.
While not a security boundary, origin filtering can help prevent accidental access to unexpected resources.
Use --save-session and --save-trace to maintain audit logs of browser automation activity.