CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl-labs/fastapi-security-basics

Security defaults that belong in every FastAPI application from day one.

93

7.00x
Quality

90%

Does it follow best practices?

Impact

98%

7.00x

Average score across 5 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

criteria.jsonevals/scenario-1/

{
  "context": "Tests whether the agent correctly configures CORS and TrustedHostMiddleware in a FastAPI application, using environment variables for origins and hosts, specifying explicit methods, and avoiding wildcard origins.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "No wildcard CORS origin",
      "description": "CORSMiddleware does NOT use allow_origins=['*'] — uses a list of explicit origin strings instead",
      "max_score": 12
    },
    {
      "name": "CORS origins from env var",
      "description": "CORSMiddleware allow_origins reads from os.getenv('ALLOWED_ORIGINS') (with an optional default value)",
      "max_score": 10
    },
    {
      "name": "Explicit allow_methods",
      "description": "CORSMiddleware specifies allow_methods explicitly (e.g., ['GET', 'POST', 'PUT', 'PATCH', 'DELETE']) rather than relying on defaults or omitting the parameter",
      "max_score": 8
    },
    {
      "name": "allow_credentials not with wildcard",
      "description": "If allow_credentials=True is set, allow_origins does NOT use ['*']",
      "max_score": 8
    },
    {
      "name": "TrustedHostMiddleware present",
      "description": "TrustedHostMiddleware is imported from starlette.middleware.trustedhost and added to the app",
      "max_score": 12
    },
    {
      "name": "Trusted hosts from env var",
      "description": "TrustedHostMiddleware allowed_hosts reads from os.getenv('ALLOWED_HOSTS') with a default of 'localhost,127.0.0.1' (or similar localhost values)",
      "max_score": 10
    },
    {
      "name": "Security headers middleware",
      "description": "An HTTP middleware function is defined that adds at least X-Content-Type-Options and X-Frame-Options response headers",
      "max_score": 10
    },
    {
      "name": "All four security headers present",
      "description": "The security headers middleware sets all four of: X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy",
      "max_score": 10
    },
    {
      "name": "Correct header values",
      "description": "Security headers use the correct values: 'nosniff', 'DENY', '1; mode=block', 'strict-origin-when-cross-origin'",
      "max_score": 10
    },
    {
      "name": "Middleware calls call_next",
      "description": "The security headers middleware calls await call_next(request) and returns the resulting response",
      "max_score": 10
    }
  ]
}

evals

scenario-1

criteria.json

task.md

tile.json