CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl-labs/aspnet-security-basics

Security defaults that belong in every ASP.NET Core application from day one.

87

1.91x
Quality

83%

Does it follow best practices?

Impact

94%

1.91x

Average score across 5 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

criteria.jsonevals/scenario-1/

{
  "context": "Tests whether the agent proactively adds security middleware when building a blog API. The task mentions a Next.js frontend on a separate domain (CORS hint), a load balancer (HTTPS hint), and mixed public/authenticated endpoints (authorization hint). Security is never explicitly requested.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "HTTPS redirection configured",
      "description": "Program.cs calls app.UseHttpsRedirection()",
      "max_score": 7
    },
    {
      "name": "HSTS configured",
      "description": "Program.cs calls app.UseHsts() for non-development environments",
      "max_score": 5
    },
    {
      "name": "CORS configured with explicit origins",
      "description": "CORS is configured with an explicit origin for the Next.js frontend (NOT AllowAnyOrigin())",
      "max_score": 12
    },
    {
      "name": "Security headers middleware",
      "description": "Middleware adds security headers: at minimum X-Content-Type-Options and X-Frame-Options",
      "max_score": 10
    },
    {
      "name": "Rate limiting on write endpoints",
      "description": "Rate limiting is applied to POST/PUT/DELETE endpoints with a stricter limit than read endpoints",
      "max_score": 10
    },
    {
      "name": "General rate limiting",
      "description": "A general rate limiter is applied to all API routes",
      "max_score": 8
    },
    {
      "name": "Authentication configured",
      "description": "Authentication is configured and UseAuthentication() is called before UseAuthorization()",
      "max_score": 10
    },
    {
      "name": "Authorization with public/private split",
      "description": "Write endpoints require [Authorize], public read endpoints (GET posts, GET comments) are marked [AllowAnonymous], admin-only operations have appropriate policy",
      "max_score": 10
    },
    {
      "name": "Input validation on post creation",
      "description": "The create/update post request model has validation: title required with length limit, content required, tags validated",
      "max_score": 10
    },
    {
      "name": "Comment body validation",
      "description": "The comment request model has validation: body required with length constraints",
      "max_score": 5
    },
    {
      "name": "Author-only update enforcement",
      "description": "PUT endpoint checks that the authenticated user is the post author before allowing updates",
      "max_score": 5
    },
    {
      "name": "No hardcoded secrets",
      "description": "JWT keys and other secrets come from configuration, not hardcoded strings",
      "max_score": 4
    },
    {
      "name": "Correct middleware order",
      "description": "Middleware registered in correct order with security middleware before routes",
      "max_score": 4
    }
  ]
}

evals

scenario-1

criteria.json

task.md

tile.json