{
  "context": "The agent was asked to add Flask-Talisman security headers to a Flask API that runs behind an AWS ALB (which terminates TLS). The scorer checks app.py for correct Talisman configuration that avoids redirect loops while still enforcing secure cookie settings.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "Talisman imported",
      "description": "app.py imports Talisman from flask_talisman",
      "max_score": 8
    },
    {
      "name": "Talisman instantiated",
      "description": "A Talisman instance is created (e.g., talisman = Talisman()) before being applied to the app",
      "max_score": 7
    },
    {
      "name": "Talisman applied to app",
      "description": "Talisman is initialized on the app via talisman.init_app(app, ...) or Talisman(app, ...)",
      "max_score": 8
    },
    {
      "name": "force_https=False",
      "description": "Talisman is configured with force_https=False (not the default True, which causes redirect loops behind a proxy)",
      "max_score": 20
    },
    {
      "name": "session_cookie_secure=True",
      "description": "Talisman is configured with session_cookie_secure=True",
      "max_score": 12
    },
    {
      "name": "session_cookie_http_only=True",
      "description": "Talisman is configured with session_cookie_http_only=True",
      "max_score": 12
    },
    {
      "name": "flask-talisman in requirements",
      "description": "requirements.txt includes flask-talisman as a dependency",
      "max_score": 8
    },
    {
      "name": "Original routes preserved",
      "description": "All three original routes (GET /api/health, GET /api/data, POST /api/data) are still present and functional in app.py",
      "max_score": 8
    },
    {
      "name": "No force_https=True",
      "description": "Talisman is NOT configured with force_https=True anywhere in app.py",
      "max_score": 17
    }
  ]
}