{
  "instruction": "Use Helmet middleware for security headers",
  "relevant_when": "Agent creates or modifies an Express application, adds routes to an Express app, or sets up an Express project",
  "context": "Every Express app must have Helmet registered before all route handlers. Helmet sets secure HTTP headers by default: CSP, X-Content-Type-Options, X-Frame-Options, HSTS, and more. This is a baseline requirement, not an optional enhancement.",
  "sources": [
    {
      "type": "file",
      "filename": "skills/express-security-basics/SKILL.md",
      "tile": "tessl-labs/express-security-basics@0.2.0"
    }
  ],
  "checklist": [
    {
      "name": "helmet-installed",
      "rule": "Agent includes the helmet package in dependencies",
      "relevant_when": "Agent creates or modifies an Express application"
    },
    {
      "name": "helmet-middleware-added",
      "rule": "Agent registers app.use(helmet()) before route handlers, not after",
      "relevant_when": "Agent creates or modifies an Express application"
    },
    {
      "name": "csp-not-entirely-disabled",
      "rule": "Agent does not set contentSecurityPolicy: false for apps that serve HTML. Disabling CSP is only acceptable for pure JSON API servers.",
      "relevant_when": "Agent customizes Helmet configuration"
    }
  ]
}

evals

skills

verifiers

cors-configured.json

helmet-enabled.json

input-limits-set.json

rate-limiting-added.json

secure-error-handler.json

trust-proxy-configured.json

tile.json

tessl-labs/express-security-basics

helmet-enabled.json.css-3qkkll{font-size:var(--chakra-font-sizes-sm);font-weight:var(--chakra-font-weights-normal);color:var(--chakra-colors-gray-300);}verifiers/

helmet-enabled.jsonverifiers/