CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl-labs/aspnet-security-basics

Security defaults that belong in every ASP.NET Core application from day one.

87

1.91x
Quality

83%

Does it follow best practices?

Impact

94%

1.91x

Average score across 5 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

criteria.jsonevals/scenario-4/

{
  "context": "Tests whether the agent proactively adds security middleware when building a task tracker API. The task mentions a Blazor WASM frontend on a separate domain (CORS hint) and all endpoints are authenticated (authorization hint). Security is never explicitly requested.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "HTTPS redirection configured",
      "description": "Program.cs calls app.UseHttpsRedirection()",
      "max_score": 7
    },
    {
      "name": "CORS configured with explicit origins",
      "description": "CORS is configured with explicit origin for the Blazor WASM frontend (NOT AllowAnyOrigin())",
      "max_score": 12
    },
    {
      "name": "Security headers middleware",
      "description": "Middleware adds security headers including X-Content-Type-Options, X-Frame-Options, and Referrer-Policy",
      "max_score": 10
    },
    {
      "name": "Rate limiting configured",
      "description": "Rate limiting is configured with at least one policy and applied to endpoints",
      "max_score": 10
    },
    {
      "name": "Stricter rate limit on mutations",
      "description": "POST/PATCH/DELETE endpoints have a stricter rate limit than GET endpoints",
      "max_score": 8
    },
    {
      "name": "Authentication configured",
      "description": "Authentication (JWT Bearer or similar) is configured with UseAuthentication() before UseAuthorization()",
      "max_score": 10
    },
    {
      "name": "All endpoints require authentication",
      "description": "All endpoints require authentication via [Authorize] attribute or FallbackPolicy (no public endpoints in this API)",
      "max_score": 8
    },
    {
      "name": "Project owner authorization for delete",
      "description": "DELETE task endpoint checks that the current user is the project owner before allowing deletion",
      "max_score": 8
    },
    {
      "name": "Input validation on task creation",
      "description": "Task creation request has validation: title required with length limit, priority validated against allowed values, dueDate validated",
      "max_score": 10
    },
    {
      "name": "Input validation on project creation",
      "description": "Project creation request has validation: name required with length limit",
      "max_score": 5
    },
    {
      "name": "Query parameter validation",
      "description": "Status and priority query parameters are validated against allowed enum values",
      "max_score": 5
    },
    {
      "name": "Project membership check",
      "description": "Users can only access projects they belong to (membership check on project endpoints)",
      "max_score": 4
    },
    {
      "name": "Correct middleware order",
      "description": "Middleware registered in correct order with security middleware before routes",
      "max_score": 3
    }
  ]
}

evals

scenario-4

criteria.json

task.md

tile.json