CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl-labs/aspnet-security-basics

Security defaults that belong in every ASP.NET Core application from day one.

87

1.91x
Quality

83%

Does it follow best practices?

Impact

94%

1.91x

Average score across 5 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

criteria.jsonevals/scenario-3/

{
  "context": "Tests whether the agent proactively adds security middleware when building an inventory management API. The task mentions an Angular dashboard on a different domain (CORS hint), role-based access (authorization hint), and bulk import (input validation and rate limiting hints). Security is never explicitly requested.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "HTTPS redirection configured",
      "description": "Program.cs calls app.UseHttpsRedirection()",
      "max_score": 7
    },
    {
      "name": "CORS configured with explicit origins",
      "description": "CORS is configured with explicit origin for the Angular dashboard (NOT AllowAnyOrigin())",
      "max_score": 12
    },
    {
      "name": "Security headers middleware",
      "description": "Middleware adds security headers including X-Content-Type-Options and X-Frame-Options",
      "max_score": 10
    },
    {
      "name": "Rate limiting on mutation endpoints",
      "description": "Rate limiting is applied to stock adjustment and product creation endpoints with appropriate limits",
      "max_score": 10
    },
    {
      "name": "Rate limiting on bulk import",
      "description": "The bulk-import endpoint has a stricter rate limit given it processes multiple items at once",
      "max_score": 8
    },
    {
      "name": "Authentication configured",
      "description": "Authentication is configured with UseAuthentication() before UseAuthorization()",
      "max_score": 10
    },
    {
      "name": "Role-based authorization",
      "description": "Manager-only report endpoint and admin-only bulk import have appropriate authorization policies or role checks",
      "max_score": 10
    },
    {
      "name": "Input validation on product creation",
      "description": "Product creation request has validation: sku and name required with length limits, unitPrice > 0, reorderPoint >= 0",
      "max_score": 8
    },
    {
      "name": "Input validation on stock adjustment",
      "description": "Stock adjustment request has validation: type is valid enum value, quantity > 0, reason required with length limit",
      "max_score": 8
    },
    {
      "name": "Bulk import validation and size limit",
      "description": "Bulk import validates each item and enforces the 100-item limit. Request body size is limited via [RequestSizeLimit] or Kestrel config.",
      "max_score": 7
    },
    {
      "name": "Search parameter validation",
      "description": "Search and filter query parameters are validated and sanitized rather than passed through raw",
      "max_score": 5
    },
    {
      "name": "Correct middleware order",
      "description": "Middleware registered in correct order with security middleware before routes",
      "max_score": 5
    }
  ]
}

evals

scenario-3

criteria.json

task.md

tile.json