CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl-labs/fastapi-security-basics

Security defaults that belong in every FastAPI application from day one.

93

7.00x
Quality

90%

Does it follow best practices?

Impact

98%

7.00x

Average score across 5 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

criteria.jsonevals/scenario-5/

{
  "context": "Tests whether the agent correctly implements rate limiting using slowapi, including correct key function, app state assignment, exception handler, per-route decorators, request parameter ordering, and differentiated limits for auth vs mutation vs read endpoints.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "slowapi Limiter used",
      "description": "Code imports and instantiates slowapi.Limiter (not a different rate-limiting library)",
      "max_score": 8
    },
    {
      "name": "get_remote_address key function",
      "description": "Limiter is constructed with key_func=get_remote_address imported from slowapi.util",
      "max_score": 10
    },
    {
      "name": "app.state.limiter assigned",
      "description": "app.state.limiter is set to the Limiter instance",
      "max_score": 10
    },
    {
      "name": "RateLimitExceeded handler present",
      "description": "An exception handler is registered for RateLimitExceeded (imported from slowapi.errors)",
      "max_score": 8
    },
    {
      "name": "429 status code returned",
      "description": "The RateLimitExceeded handler returns an HTTP 429 response",
      "max_score": 8
    },
    {
      "name": "RATE_LIMITED error code",
      "description": "The 429 response body includes the string 'RATE_LIMITED' as the error code",
      "max_score": 8
    },
    {
      "name": "Limiter decorator on routes",
      "description": "@limiter.limit() decorator is applied to at least two route functions",
      "max_score": 8
    },
    {
      "name": "request param is first",
      "description": "In every rate-limited route function, request: Request is the first parameter",
      "max_score": 10
    },
    {
      "name": "Stricter limit on auth endpoint",
      "description": "The login or authentication endpoint has a stricter rate limit than general read endpoints (e.g., 5/minute vs 60/minute)",
      "max_score": 10
    },
    {
      "name": "Stricter limit on mutation endpoint",
      "description": "POST/PUT/PATCH/DELETE mutation endpoints have a stricter limit than read (GET) endpoints (e.g., 10/minute vs 60/minute)",
      "max_score": 10
    },
    {
      "name": "Rate limiting on POST/auth routes",
      "description": "Both the mutation route(s) and auth route have @limiter.limit() applied (not just GET routes)",
      "max_score": 10
    }
  ]
}

evals

scenario-5

criteria.json

task.md

tile.json