CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl-labs/django-security-basics

Security essentials for Django — CSRF, CORS, security middleware, ALLOWED_HOSTS,

99

2.91x
Quality

99%

Does it follow best practices?

Impact

99%

2.91x

Average score across 2 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

criteria.jsonevals/scenario-1/

{
  "context": "Tests whether the agent proactively applies Django security best practices when building a REST API. The task asks for 'production deployment' settings but does NOT mention any specific security settings -- the agent should configure SSL redirect, HSTS, CSRF trusted origins, session cookie security, SECRET_KEY from env, DEBUG=False, and ALLOWED_HOSTS on its own.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "SECURE_SSL_REDIRECT enabled",
      "description": "settings.py sets SECURE_SSL_REDIRECT = True for production (may be behind an environment variable check). The agent was NOT asked to configure SSL redirect.",
      "max_score": 14
    },
    {
      "name": "HSTS enabled",
      "description": "settings.py sets SECURE_HSTS_SECONDS to a non-zero value (e.g. 31536000) for production, enabling HTTP Strict Transport Security. The agent was NOT asked about HSTS.",
      "max_score": 14
    },
    {
      "name": "CSRF_TRUSTED_ORIGINS configured",
      "description": "settings.py configures CSRF_TRUSTED_ORIGINS from an environment variable or as an explicit list of allowed origins, not left unset or set to a wildcard. The agent was NOT asked about CSRF trusted origins.",
      "max_score": 12
    },
    {
      "name": "SESSION_COOKIE_SECURE enabled",
      "description": "settings.py sets SESSION_COOKIE_SECURE = True for production so session cookies are only sent over HTTPS. The agent was NOT asked about cookie security.",
      "max_score": 14
    },
    {
      "name": "SECRET_KEY from environment",
      "description": "settings.py reads SECRET_KEY from an environment variable (os.environ, os.getenv, or django-environ), not hardcoded as a string literal. The agent was NOT asked about secret key management.",
      "max_score": 16
    },
    {
      "name": "DEBUG is False for production",
      "description": "settings.py sets DEBUG = False for production. May use an environment variable to toggle, but the default or production value must be False. The agent was NOT asked to disable debug mode.",
      "max_score": 16
    },
    {
      "name": "ALLOWED_HOSTS configured",
      "description": "settings.py sets ALLOWED_HOSTS from an environment variable or as an explicit list of domains, not left empty or set to ['*']. The agent was NOT asked about allowed hosts.",
      "max_score": 14
    }
  ]
}

evals

scenario-1

criteria.json

task.md

tile.json