CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl-labs/express-security-basics

Security defaults that belong in every Express application from day one.

93

6.18x
Quality

90%

Does it follow best practices?

Impact

99%

6.18x

Average score across 5 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

criteria.jsonevals/scenario-2/

{
  "context": "Tests whether the agent proactively adds security middleware when building an e-commerce order API. The task describes business requirements only and never mentions security. Order creation is a sensitive mutation endpoint that should have stricter rate limiting.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "Helmet middleware added",
      "description": "app.ts imports and registers helmet middleware (app.use(helmet())) before route handlers",
      "max_score": 15
    },
    {
      "name": "CORS configured with explicit origins",
      "description": "CORS is configured with an explicit origin for the Vue.js storefront (NOT cors() with no arguments or origin: '*')",
      "max_score": 15
    },
    {
      "name": "Rate limiting on API routes",
      "description": "express-rate-limit is imported and applied to API routes",
      "max_score": 12
    },
    {
      "name": "Stricter limit on order creation",
      "description": "The POST /api/orders endpoint has a stricter rate limit than general read routes (lower max or shorter window)",
      "max_score": 10
    },
    {
      "name": "Trust proxy configured",
      "description": "app.set('trust proxy', 1) or equivalent numeric value is set (task mentions nginx proxy)",
      "max_score": 12
    },
    {
      "name": "Secure error handler",
      "description": "A custom error-handling middleware with 4 parameters is defined that does NOT leak stack traces to the client",
      "max_score": 10
    },
    {
      "name": "JSON body size limit",
      "description": "express.json() is called with a limit option (e.g. limit: '10kb')",
      "max_score": 8
    },
    {
      "name": "Order validation logic",
      "description": "POST /api/orders validates that products exist and have sufficient stock before creating the order",
      "max_score": 8
    },
    {
      "name": "CRUD endpoints functional",
      "description": "The main endpoints for products and orders are implemented and return appropriate status codes",
      "max_score": 5
    },
    {
      "name": "Security middleware before routes",
      "description": "Security middleware (helmet, cors, rate limiter) is registered before route handlers",
      "max_score": 5
    }
  ]
}

evals

scenario-2

criteria.json

task.md

tile.json