tessl-labs/aspnet-security-basics
Security defaults that belong in every ASP.NET Core application from day one.
87
83%
Does it follow best practices?
Impact
94%
1.91xAverage score across 5 eval scenarios
Passed
No known issues
Evaluation results
100%
53%Build a Blog Platform API with ASP.NET Core
HTTPS redirection configured
0%
100%
HSTS configured
0%
100%
CORS configured with explicit origins
100%
100%
Security headers middleware
0%
100%
Rate limiting on write endpoints
0%
100%
General rate limiting
0%
100%
Authentication configured
100%
100%
Authorization with public/private split
80%
100%
Input validation on post creation
40%
100%
Comment body validation
40%
100%
Author-only update enforcement
100%
100%
No hardcoded secrets
75%
100%
Correct middleware order
75%
100%
90%
39%Build an E-Commerce Order API with ASP.NET Core
HTTPS redirection configured
100%
100%
CORS configured with explicit origins
100%
100%
Security headers middleware
0%
100%
Rate limiting on mutation endpoints
0%
41%
General API rate limiting
0%
100%
Authentication configured
100%
100%
Authorization on protected endpoints
80%
100%
Input validation on order request
30%
100%
Query param validation
50%
50%
Users can only access own orders
100%
100%
Content-Security-Policy header
0%
100%
Correct middleware order
60%
100%
91%
31%Build an Inventory Management API with ASP.NET Core
HTTPS redirection configured
100%
100%
CORS configured with explicit origins
100%
100%
Security headers middleware
0%
100%
Rate limiting on mutation endpoints
0%
100%
Rate limiting on bulk import
0%
37%
Authentication configured
100%
100%
Role-based authorization
100%
100%
Input validation on product creation
75%
87%
Input validation on stock adjustment
50%
75%
Bulk import validation and size limit
57%
100%
Search parameter validation
40%
80%
Correct middleware order
100%
100%
92%
53%Build a Task Tracker API with ASP.NET Core
HTTPS redirection configured
100%
100%
CORS configured with explicit origins
100%
100%
Security headers middleware
0%
100%
Rate limiting configured
0%
100%
Stricter rate limit on mutations
0%
0%
Authentication configured
0%
100%
All endpoints require authentication
0%
100%
Project owner authorization for delete
62%
100%
Input validation on task creation
40%
100%
Input validation on project creation
60%
100%
Query parameter validation
40%
100%
Project membership check
100%
100%
Correct middleware order
66%
100%
100%
50%Build a User Management API with ASP.NET Core
HTTPS redirection configured
100%
100%
HSTS configured for production
0%
100%
CORS configured with explicit origins
100%
100%
Security headers middleware
0%
100%
Rate limiting on auth endpoints
0%
100%
General API rate limiting
0%
100%
Authentication middleware configured
100%
100%
Authorization policies defined
62%
100%
Input validation on request models
20%
100%
Password not in responses
100%
100%
No hardcoded secrets
100%
100%
Correct middleware pipeline order
60%
100%
- Evaluated
- Agent
- Claude Code
- Model
- Claude Sonnet 4.6