CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl-labs/django-security-basics

Security essentials for Django — CSRF, CORS, security middleware, ALLOWED_HOSTS,

99

2.91x
Quality

99%

Does it follow best practices?

Impact

99%

2.91x

Average score across 2 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

django-security.jsonverifiers/

[
  {
    "instruction": "Build a Django REST API for a project management tool. It should have models for Projects, Tasks, and Team Members. Use Django REST Framework for the API endpoints. Include proper settings for production deployment.",
    "relevant_when": "Agent builds or scaffolds a Django application with production settings",
    "context": "The agent is building a new Django REST API from scratch. It should proactively apply security best practices in settings.py without being explicitly asked to do so.",
    "sources": [
      {
        "type": "file",
        "filename": "skills/django-security-basics/SKILL.md",
        "tile": "tessl-labs/django-security-basics@0.1.0"
      }
    ],
    "checklist": [
      {
        "name": "secure-ssl-redirect",
        "rule": "Agent sets SECURE_SSL_REDIRECT = True for production (may be behind an environment check or in a production settings file)",
        "relevant_when": "Agent creates Django settings"
      },
      {
        "name": "hsts-enabled",
        "rule": "Agent sets SECURE_HSTS_SECONDS to a non-zero value (e.g. 31536000) for production, enabling HTTP Strict Transport Security",
        "relevant_when": "Agent creates Django settings"
      },
      {
        "name": "csrf-trusted-origins",
        "rule": "Agent configures CSRF_TRUSTED_ORIGINS from environment or as an explicit list of allowed origins, not left unset or set to wildcard",
        "relevant_when": "Agent creates Django settings"
      },
      {
        "name": "session-cookie-secure",
        "rule": "Agent sets SESSION_COOKIE_SECURE = True for production so session cookies are only sent over HTTPS",
        "relevant_when": "Agent creates Django settings"
      },
      {
        "name": "secret-key-from-env",
        "rule": "Agent reads SECRET_KEY from an environment variable (e.g. os.environ.get or os.getenv or django-environ), not hardcoded in settings.py",
        "relevant_when": "Agent creates Django settings"
      },
      {
        "name": "debug-false",
        "rule": "Agent sets DEBUG = False for production (may use environment variable to toggle, but default or production value must be False)",
        "relevant_when": "Agent creates Django settings"
      },
      {
        "name": "allowed-hosts-set",
        "rule": "Agent sets ALLOWED_HOSTS from environment variable or as an explicit list of domains, not left empty or set to ['*']",
        "relevant_when": "Agent creates Django settings"
      }
    ]
  },
  {
    "instruction": "Build a Django app with user registration and login. Users should be able to sign up with email and password, log in, and view their profile. Use Django's built-in auth system. Set up the project with proper settings.",
    "relevant_when": "Agent builds a Django application with user authentication",
    "context": "The agent is building a Django app with user auth from scratch. It should proactively configure password validators, CSRF protection, session security, and avoid logging sensitive data, without being explicitly asked.",
    "sources": [
      {
        "type": "file",
        "filename": "skills/django-security-basics/SKILL.md",
        "tile": "tessl-labs/django-security-basics@0.1.0"
      }
    ],
    "checklist": [
      {
        "name": "password-validators",
        "rule": "Agent configures AUTH_PASSWORD_VALIDATORS with at least UserAttributeSimilarityValidator and MinimumLengthValidator (or a comparable set of validators) to enforce strong passwords",
        "relevant_when": "Agent creates Django settings with authentication"
      },
      {
        "name": "csrf-protection",
        "rule": "Agent keeps CSRF middleware enabled (django.middleware.csrf.CsrfViewMiddleware in MIDDLEWARE) and does not globally disable CSRF. Templates with forms include {% csrf_token %}",
        "relevant_when": "Agent creates Django views or templates with forms"
      },
      {
        "name": "session-security",
        "rule": "Agent configures session security: SESSION_COOKIE_SECURE = True and SESSION_COOKIE_HTTPONLY = True for production, preventing session cookie theft via XSS or non-HTTPS channels",
        "relevant_when": "Agent creates Django settings with session-based auth"
      },
      {
        "name": "csrf-cookie-secure",
        "rule": "Agent sets CSRF_COOKIE_SECURE = True for production so the CSRF cookie is only sent over HTTPS",
        "relevant_when": "Agent creates Django settings"
      },
      {
        "name": "secret-key-from-env",
        "rule": "Agent reads SECRET_KEY from an environment variable (e.g. os.environ.get or os.getenv or django-environ), not hardcoded in settings.py",
        "relevant_when": "Agent creates Django settings"
      },
      {
        "name": "secure-ssl-redirect",
        "rule": "Agent sets SECURE_SSL_REDIRECT = True for production",
        "relevant_when": "Agent creates Django settings"
      },
      {
        "name": "hsts-enabled",
        "rule": "Agent sets SECURE_HSTS_SECONDS to a non-zero value for production",
        "relevant_when": "Agent creates Django settings"
      },
      {
        "name": "no-sensitive-data-in-logs",
        "rule": "Agent does not log passwords, tokens, or SECRET_KEY in plaintext. If logging is configured, sensitive data is filtered using Django's sensitive_variables or sensitive_post_parameters decorators, or by not including auth data in log output",
        "relevant_when": "Agent creates Django views or logging configuration"
      }
    ]
  }
]

verifiers

django-security.json

tile.json