CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl-labs/express-security-basics

Security defaults that belong in every Express application from day one.

93

6.18x
Quality

90%

Does it follow best practices?

Impact

99%

6.18x

Average score across 5 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

criteria.jsonevals/scenario-5/

{
  "context": "Tests whether the agent proactively adds security middleware when building an authentication API that does not explicitly ask for security hardening. Auth APIs are especially sensitive and should trigger rate limiting on auth endpoints.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "Helmet middleware added",
      "description": "app.ts imports and registers helmet middleware (app.use(helmet())) before route handlers",
      "max_score": 12
    },
    {
      "name": "CORS configured with explicit origins",
      "description": "CORS is configured with an explicit origin for the React SPA (NOT cors() with no arguments or origin: '*')",
      "max_score": 12
    },
    {
      "name": "Rate limiting on auth endpoints",
      "description": "A rate limiter is applied specifically to auth endpoints (login/register) with a stricter limit than general routes (e.g. max 10 per 15 minutes)",
      "max_score": 18
    },
    {
      "name": "General API rate limiting",
      "description": "A general rate limiter is also applied to all API routes (not just auth)",
      "max_score": 10
    },
    {
      "name": "Secure error handler",
      "description": "A custom error-handling middleware with 4 parameters is defined that returns generic messages for 500 errors and never leaks stack traces",
      "max_score": 12
    },
    {
      "name": "JSON body size limit",
      "description": "express.json() is called with a limit option (e.g. limit: '10kb')",
      "max_score": 8
    },
    {
      "name": "Auth endpoints functional",
      "description": "Register, login, and profile endpoints are implemented with proper JWT handling and password hashing",
      "max_score": 10
    },
    {
      "name": "Password not in responses",
      "description": "User responses (register, login, profile) do not include the password or password hash in the JSON response body",
      "max_score": 8
    },
    {
      "name": "Trust proxy configured",
      "description": "app.set('trust proxy', 1) or equivalent is set for correct client IP detection",
      "max_score": 5
    },
    {
      "name": "Security middleware before routes",
      "description": "Security middleware (helmet, cors, rate limiter) is registered before route handlers",
      "max_score": 5
    }
  ]
}

evals

scenario-5

criteria.json

task.md

tile.json