CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl-labs/express-security-basics

Security defaults that belong in every Express application from day one.

93

6.18x
Quality

90%

Does it follow best practices?

Impact

99%

6.18x

Average score across 5 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

criteria.jsonevals/scenario-3/

{
  "context": "Tests whether the agent proactively adds security middleware when refactoring a bare Express app for production. The task says 'production deployment' and mentions ALB and CloudFront but never asks for security. A production-ready Express app must include security defaults.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "Helmet middleware added",
      "description": "app.ts imports and registers helmet middleware (app.use(helmet())) before route handlers -- the original code had none",
      "max_score": 15
    },
    {
      "name": "CORS configured with explicit origins",
      "description": "CORS is configured with an explicit origin for the React dashboard on CloudFront (NOT cors() with no arguments or origin: '*')",
      "max_score": 15
    },
    {
      "name": "Rate limiting added",
      "description": "express-rate-limit is imported and applied to API routes -- the original code had none",
      "max_score": 12
    },
    {
      "name": "Trust proxy configured",
      "description": "app.set('trust proxy', 1) or equivalent numeric value is set (task mentions AWS ALB)",
      "max_score": 12
    },
    {
      "name": "Secure error handler",
      "description": "A custom error-handling middleware with 4 parameters is defined that does NOT leak stack traces -- the original code had no error handler",
      "max_score": 12
    },
    {
      "name": "JSON body size limit",
      "description": "express.json() is called with a limit option (e.g. limit: '10kb') -- the original code used express.json() with no options",
      "max_score": 8
    },
    {
      "name": "Routes properly separated",
      "description": "Inventory and supplier routes are split into separate router modules as requested",
      "max_score": 8
    },
    {
      "name": "Security middleware before routes",
      "description": "Security middleware (helmet, cors, rate limiter) is registered before route handlers in app.ts",
      "max_score": 8
    },
    {
      "name": "Error handler after routes",
      "description": "The error-handling middleware is registered after all route handlers (last app.use call)",
      "max_score": 5
    },
    {
      "name": "Param validation added",
      "description": "Route handlers validate :id parameter before using it (the original used Number() without checking NaN)",
      "max_score": 5
    }
  ]
}

evals

scenario-3

criteria.json

task.md

tile.json