CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl-labs/django-security-basics

Security essentials for Django — CSRF, CORS, security middleware, ALLOWED_HOSTS,

99

2.91x
Quality

99%

Does it follow best practices?

Impact

99%

2.91x

Average score across 2 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

criteria.jsonevals/scenario-2/

{
  "context": "Tests whether the agent proactively applies Django security best practices when building a user auth app. The task says nothing about session cookie settings, CSRF cookie security, HSTS, SSL redirect, or SECRET_KEY management -- the agent should configure these on its own.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "Password validators configured",
      "description": "settings.py configures AUTH_PASSWORD_VALIDATORS with at least UserAttributeSimilarityValidator and MinimumLengthValidator (or a comparable set of validators) to enforce strong passwords. The agent was NOT asked to configure password validation.",
      "max_score": 10
    },
    {
      "name": "CSRF protection in templates",
      "description": "CSRF middleware (django.middleware.csrf.CsrfViewMiddleware) is present in MIDDLEWARE and is not globally disabled. The registration and login templates include {% csrf_token %} inside their form tags. The agent was NOT asked about CSRF protection.",
      "max_score": 10
    },
    {
      "name": "Session cookie secure and httponly",
      "description": "settings.py sets SESSION_COOKIE_SECURE = True and SESSION_COOKIE_HTTPONLY = True for production, preventing session cookie theft via XSS or non-HTTPS channels. The agent was NOT asked about session cookie security.",
      "max_score": 18
    },
    {
      "name": "CSRF cookie secure",
      "description": "settings.py sets CSRF_COOKIE_SECURE = True for production so the CSRF cookie is only sent over HTTPS. The agent was NOT asked about CSRF cookie security.",
      "max_score": 14
    },
    {
      "name": "SECRET_KEY from environment",
      "description": "settings.py reads SECRET_KEY from an environment variable (os.environ, os.getenv, or django-environ), not hardcoded as a string literal. The agent was NOT asked about secret key management.",
      "max_score": 14
    },
    {
      "name": "SECURE_SSL_REDIRECT enabled",
      "description": "settings.py sets SECURE_SSL_REDIRECT = True for production. The agent was NOT asked about SSL redirect.",
      "max_score": 12
    },
    {
      "name": "HSTS enabled",
      "description": "settings.py sets SECURE_HSTS_SECONDS to a non-zero value for production, enabling HTTP Strict Transport Security. The agent was NOT asked about HSTS.",
      "max_score": 12
    },
    {
      "name": "No sensitive data in logs",
      "description": "The agent does not log passwords, tokens, or SECRET_KEY in plaintext. If a LOGGING configuration is present, it does not include auth data in log output. Views do not print or log raw passwords. The agent was NOT asked about logging security.",
      "max_score": 10
    }
  ]
}

evals

scenario-2

criteria.json

task.md

tile.json