CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl-labs/aspnet-security-basics

Security defaults that belong in every ASP.NET Core application from day one.

87

1.91x
Quality

83%

Does it follow best practices?

Impact

94%

1.91x

Average score across 5 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

criteria.jsonevals/scenario-5/

{
  "context": "Tests whether the agent proactively adds security middleware when building a user management API. The task mentions a React SPA on a different domain (CORS), a load balancer (HTTPS), and auth endpoints (rate limiting) as business context clues only -- security is never explicitly requested.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "HTTPS redirection configured",
      "description": "Program.cs calls app.UseHttpsRedirection() in the middleware pipeline",
      "max_score": 8
    },
    {
      "name": "HSTS configured for production",
      "description": "Program.cs calls app.UseHsts() conditionally for non-development environments",
      "max_score": 7
    },
    {
      "name": "CORS configured with explicit origins",
      "description": "CORS is configured with explicit origins for the React SPA (NOT AllowAnyOrigin() or SetIsOriginAllowed(_ => true)). Origins come from configuration.",
      "max_score": 12
    },
    {
      "name": "Security headers middleware",
      "description": "Middleware adds security headers: at minimum X-Content-Type-Options: nosniff, X-Frame-Options: DENY, and a Content-Security-Policy header",
      "max_score": 10
    },
    {
      "name": "Rate limiting on auth endpoints",
      "description": "A rate limiter with a strict limit is applied specifically to login/register endpoints (e.g., max 10 per 15 minutes) to prevent brute force",
      "max_score": 12
    },
    {
      "name": "General API rate limiting",
      "description": "A general rate limiter is applied to all API routes (not just auth)",
      "max_score": 8
    },
    {
      "name": "Authentication middleware configured",
      "description": "JWT Bearer authentication is configured with token validation parameters (ValidateIssuer, ValidateAudience, ValidateIssuerSigningKey) and UseAuthentication() is called before UseAuthorization()",
      "max_score": 10
    },
    {
      "name": "Authorization policies defined",
      "description": "Authorization policies are defined (e.g., AdminOnly) and applied to admin-only endpoints. FallbackPolicy or [Authorize] attribute requires authentication by default.",
      "max_score": 8
    },
    {
      "name": "Input validation on request models",
      "description": "Request DTOs have validation attributes (Data Annotations or FluentValidation) -- at minimum [Required], length constraints on strings, and [EmailAddress] on email fields",
      "max_score": 10
    },
    {
      "name": "Password not in responses",
      "description": "User responses (register, login, profile) do not include the password hash in the JSON response body",
      "max_score": 5
    },
    {
      "name": "No hardcoded secrets",
      "description": "JWT key and other secrets come from configuration (builder.Configuration) rather than being hardcoded as string literals in source code",
      "max_score": 5
    },
    {
      "name": "Correct middleware pipeline order",
      "description": "Security middleware is registered before route handlers: HTTPS redirection and security headers early, UseAuthentication() before UseAuthorization(), UseCors() and UseRateLimiter() before MapControllers()",
      "max_score": 5
    }
  ]
}

evals

scenario-5

criteria.json

task.md

tile.json