CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl-labs/flask-security-basics

Security essentials for Flask APIs — CORS, Talisman security headers, rate

99

1.17x
Quality

94%

Does it follow best practices?

Impact

100%

1.17x

Average score across 10 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

criteria.jsonevals/scenario-6/

{
  "context": "The agent was asked to refactor a Flask app from module-level extension initialisation to the application factory pattern (create_app function). The scorer checks delivery_api.py for correct use of the init_app pattern for CORS, Talisman, and Limiter, with security settings preserved.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "create_app function defined",
      "description": "delivery_api.py defines a create_app() function that instantiates and returns a Flask app",
      "max_score": 10
    },
    {
      "name": "CORS init_app used",
      "description": "Flask-CORS is initialised via cors.init_app(app, ...) with a separate CORS() instance, rather than CORS(app, ...) directly",
      "max_score": 15
    },
    {
      "name": "Talisman init_app used",
      "description": "Flask-Talisman is initialised via talisman.init_app(app, ...) with a separate Talisman() instance, rather than Talisman(app, ...) directly",
      "max_score": 15
    },
    {
      "name": "Talisman force_https=False preserved",
      "description": "The Talisman init_app call still includes force_https=False",
      "max_score": 10
    },
    {
      "name": "Limiter init_app used",
      "description": "Flask-Limiter is initialised via limiter.init_app(app) rather than passing app= to the Limiter constructor",
      "max_score": 12
    },
    {
      "name": "CORS origins preserved",
      "description": "CORS is still configured with explicit origins from the ALLOWED_ORIGINS environment variable (not a wildcard)",
      "max_score": 10
    },
    {
      "name": "SECRET_KEY guard inside factory",
      "description": "The SECRET_KEY check (raising RuntimeError if missing outside TESTING) is inside the create_app function",
      "max_score": 8
    },
    {
      "name": "Original routes preserved",
      "description": "All three original routes (GET /deliveries, POST /deliveries, DELETE /deliveries/<id>) are present with the same per-route rate limits",
      "max_score": 8
    },
    {
      "name": "No module-level app = Flask(...)",
      "description": "The Flask app object is NOT created at module level outside create_app — it is created inside the factory function",
      "max_score": 6
    },
    {
      "name": "Redis storage_uri preserved",
      "description": "The Limiter is still configured with a storage_uri pointing to Redis (e.g., from os.getenv('REDIS_URL', 'redis://localhost:6379/0'))",
      "max_score": 6
    }
  ]
}

evals

scenario-6

criteria.json

task.md

tile.json