CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl-labs/aspnet-security-basics

Security defaults that belong in every ASP.NET Core application from day one.

87

1.91x
Quality

83%

Does it follow best practices?

Impact

94%

1.91x

Average score across 5 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

criteria.jsonevals/scenario-2/

{
  "context": "Tests whether the agent proactively adds security middleware when building an e-commerce API. The task mentions a Vue.js frontend on a different domain (CORS hint), mixed public/authenticated endpoints (authorization hint), and order mutations (rate limiting hint). Security is never explicitly requested.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "HTTPS redirection configured",
      "description": "Program.cs calls app.UseHttpsRedirection() in the middleware pipeline",
      "max_score": 7
    },
    {
      "name": "CORS configured with explicit origins",
      "description": "CORS is configured with explicit origins for the Vue.js storefront (NOT AllowAnyOrigin()). Origins come from configuration.",
      "max_score": 12
    },
    {
      "name": "Security headers middleware",
      "description": "Middleware adds security headers including X-Content-Type-Options: nosniff and X-Frame-Options",
      "max_score": 10
    },
    {
      "name": "Rate limiting on mutation endpoints",
      "description": "Rate limiting is applied to order creation and cancellation endpoints with a stricter limit than read endpoints",
      "max_score": 12
    },
    {
      "name": "General API rate limiting",
      "description": "A general rate limiter is applied to API routes",
      "max_score": 8
    },
    {
      "name": "Authentication configured",
      "description": "Authentication is configured and UseAuthentication() is called before UseAuthorization() in the pipeline",
      "max_score": 10
    },
    {
      "name": "Authorization on protected endpoints",
      "description": "Authenticated endpoints require [Authorize], admin endpoints have an admin-only policy, and public product endpoints are marked [AllowAnonymous]",
      "max_score": 10
    },
    {
      "name": "Input validation on order request",
      "description": "The create order request model has validation: items array not empty, quantity > 0, shipping address required with length limits",
      "max_score": 10
    },
    {
      "name": "Query param validation",
      "description": "Sort and category query parameters are validated against allowlists rather than passed through raw",
      "max_score": 6
    },
    {
      "name": "Users can only access own orders",
      "description": "The GET /api/orders/{id} endpoint checks that the authenticated user owns the order before returning it",
      "max_score": 5
    },
    {
      "name": "Content-Security-Policy header",
      "description": "A Content-Security-Policy header is set in the security headers middleware",
      "max_score": 5
    },
    {
      "name": "Correct middleware order",
      "description": "Security middleware registered in correct order: HTTPS redirection, security headers, CORS, rate limiting, authentication, authorization, then routes",
      "max_score": 5
    }
  ]
}

evals

scenario-2

criteria.json

task.md

tile.json