CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl-labs/express-security-basics

Security defaults that belong in every Express application from day one.

93

6.18x
Quality

90%

Does it follow best practices?

Impact

99%

6.18x

Average score across 5 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

criteria.jsonevals/scenario-1/

{
  "context": "Tests whether the agent proactively adds security middleware when building a blog API that does not mention security. The task mentions a load balancer (trust proxy) and cross-domain frontend (CORS) as business context clues only.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "Helmet middleware added",
      "description": "app.ts imports and registers helmet middleware (app.use(helmet())) before route handlers",
      "max_score": 15
    },
    {
      "name": "CORS configured with explicit origins",
      "description": "CORS is configured with an explicit origin for the Next.js frontend (NOT cors() with no arguments or origin: '*')",
      "max_score": 15
    },
    {
      "name": "Rate limiting on API routes",
      "description": "express-rate-limit is imported and applied to API routes",
      "max_score": 12
    },
    {
      "name": "Stricter limit on write endpoints",
      "description": "POST/PATCH/DELETE endpoints or a write path has a stricter rate limit than general read routes",
      "max_score": 10
    },
    {
      "name": "Trust proxy configured",
      "description": "app.set('trust proxy', 1) or equivalent numeric value is set (task mentions load balancer)",
      "max_score": 12
    },
    {
      "name": "Secure error handler",
      "description": "A custom error-handling middleware with 4 parameters is defined that does NOT leak stack traces to the client",
      "max_score": 10
    },
    {
      "name": "JSON body size limit",
      "description": "express.json() is called with a limit option (e.g. limit: '10kb' or '50kb')",
      "max_score": 8
    },
    {
      "name": "Query param validation",
      "description": "The sort query parameter on GET /api/posts is validated against an allowlist of fields rather than passed through raw",
      "max_score": 8
    },
    {
      "name": "CRUD endpoints functional",
      "description": "The main CRUD endpoints for posts are implemented and return appropriate status codes",
      "max_score": 5
    },
    {
      "name": "Security middleware before routes",
      "description": "Security middleware (helmet, cors, rate limiter) is registered before route handlers",
      "max_score": 5
    }
  ]
}

evals

scenario-1

criteria.json

task.md

tile.json