CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl-labs/express-security-basics

Security defaults that belong in every Express application from day one.

93

6.18x
Quality

90%

Does it follow best practices?

Impact

99%

6.18x

Average score across 5 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

criteria.jsonevals/scenario-4/

{
  "context": "Tests whether the agent proactively adds security middleware (helmet, CORS, rate limiting, trust proxy, error handler, input limits) when building a standard Express CRUD API that does not mention security in the requirements.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "Helmet middleware added",
      "description": "app.ts imports and registers helmet middleware (app.use(helmet())) before route handlers",
      "max_score": 15
    },
    {
      "name": "CORS configured with explicit origins",
      "description": "CORS is configured with an explicit origin (NOT cors() with no arguments or origin: '*'). Accepts an env var or specific origin for the React frontend.",
      "max_score": 15
    },
    {
      "name": "Rate limiting on API routes",
      "description": "express-rate-limit is imported and applied to API routes (e.g. app.use('/api', limiter) or similar)",
      "max_score": 15
    },
    {
      "name": "Trust proxy configured",
      "description": "app.set('trust proxy', 1) or equivalent numeric value is set (the task mentions nginx reverse proxy)",
      "max_score": 12
    },
    {
      "name": "Secure error handler",
      "description": "A custom error-handling middleware with 4 parameters (err, req, res, next) is defined that does NOT leak stack traces or internal error details to the client",
      "max_score": 12
    },
    {
      "name": "JSON body size limit",
      "description": "express.json() is called with a limit option (e.g. limit: '10kb') rather than using the unlimited default",
      "max_score": 8
    },
    {
      "name": "CRUD endpoints functional",
      "description": "All four CRUD endpoints (GET list, POST create, PATCH update, DELETE) are implemented and return appropriate status codes",
      "max_score": 10
    },
    {
      "name": "Security middleware before routes",
      "description": "Security middleware (helmet, cors, rate limiter) is registered before route handlers in the middleware stack",
      "max_score": 8
    },
    {
      "name": "Input validation on params",
      "description": "Route handlers validate :id parameter (e.g. parseInt with isNaN check) before using it",
      "max_score": 5
    }
  ]
}

evals

scenario-4

criteria.json

task.md

tile.json