CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl-labs/fastapi-security-basics

Security defaults that belong in every FastAPI application from day one.

93

7.00x
Quality

90%

Does it follow best practices?

Impact

98%

7.00x

Average score across 5 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

criteria.jsonevals/scenario-2/

{
  "context": "Tests whether the agent applies the complete FastAPI security stack in the correct middleware registration order — HTTPS redirect first, then trusted hosts, then CORS, then security headers, then rate limiting — along with all required components when building a greenfield API.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "All 7 security components present",
      "description": "Code includes all of: CORSMiddleware, slowapi Limiter, security headers middleware, TrustedHostMiddleware, HTTPSRedirectMiddleware (conditional), uvicorn limit_max_request_size, and Pydantic Field constraints on request models",
      "max_score": 10
    },
    {
      "name": "HTTPS redirect before TrustedHost",
      "description": "HTTPSRedirectMiddleware is added/registered before TrustedHostMiddleware in the source code",
      "max_score": 10
    },
    {
      "name": "TrustedHost before CORS",
      "description": "TrustedHostMiddleware is added/registered before CORSMiddleware in the source code",
      "max_score": 10
    },
    {
      "name": "CORS before security headers",
      "description": "CORSMiddleware is added/registered before the security headers @app.middleware('http') decorator in the source code",
      "max_score": 10
    },
    {
      "name": "Security headers before routes",
      "description": "The security headers middleware is defined before the route handler functions in the source code",
      "max_score": 8
    },
    {
      "name": "CORS origins not wildcard",
      "description": "CORSMiddleware does NOT use allow_origins=['*']",
      "max_score": 8
    },
    {
      "name": "CORS and hosts from env vars",
      "description": "Both ALLOWED_ORIGINS and ALLOWED_HOSTS are read via os.getenv()",
      "max_score": 8
    },
    {
      "name": "All four security headers set",
      "description": "The security headers middleware sets X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, and Referrer-Policy",
      "max_score": 8
    },
    {
      "name": "Rate limit error code",
      "description": "The RateLimitExceeded handler returns a response with 'RATE_LIMITED' in the body and HTTP status 429",
      "max_score": 8
    },
    {
      "name": "Pydantic Field constraints on models",
      "description": "Request model(s) use pydantic.Field with at least min_length/max_length on string fields or gt/ge/le on integer fields",
      "max_score": 10
    },
    {
      "name": "app.state.limiter set",
      "description": "app.state.limiter is assigned the Limiter instance",
      "max_score": 10
    }
  ]
}

evals

scenario-2

criteria.json

task.md

tile.json