CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl-labs/flask-security-basics

Security essentials for Flask APIs — CORS, Talisman security headers, rate

99

1.17x
Quality

94%

Does it follow best practices?

Impact

100%

1.17x

Average score across 10 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

criteria.jsonevals/scenario-8/

{
  "context": "The agent was asked to complete session management in a Flask HR portal prototype, including hardening session cookie configuration and ensuring only safe data is stored in the session. The scorer checks portal.py for correct cookie flags and the absence of sensitive fields in the session.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "SESSION_COOKIE_SECURE=True",
      "description": "portal.py sets app.config['SESSION_COOKIE_SECURE'] = True (or equivalent via app.config.update())",
      "max_score": 12
    },
    {
      "name": "SESSION_COOKIE_HTTPONLY=True",
      "description": "portal.py sets app.config['SESSION_COOKIE_HTTPONLY'] = True (or equivalent)",
      "max_score": 10
    },
    {
      "name": "SESSION_COOKIE_SAMESITE='Lax'",
      "description": "portal.py sets app.config['SESSION_COOKIE_SAMESITE'] = 'Lax' (or 'Strict')",
      "max_score": 10
    },
    {
      "name": "user_id stored in session",
      "description": "The login route stores the username or a non-secret user identifier in session (e.g., session['user_id'] = username)",
      "max_score": 10
    },
    {
      "name": "role NOT in session",
      "description": "The login route does NOT store the user's role in the session (e.g., no session['role'] = ...)",
      "max_score": 12
    },
    {
      "name": "hr_api_token NOT in session",
      "description": "The login route does NOT store the hr_api_token in the session",
      "max_score": 12
    },
    {
      "name": "salary_band NOT in session",
      "description": "The login route does NOT store salary_band in the session",
      "max_score": 10
    },
    {
      "name": "password NOT in session",
      "description": "The login route does NOT store the password in the session",
      "max_score": 10
    },
    {
      "name": "me endpoint uses session",
      "description": "The /me route still reads session.get('user_id') and returns a 401 if not set",
      "max_score": 7
    },
    {
      "name": "logout clears session",
      "description": "The /logout route still calls session.clear()",
      "max_score": 7
    }
  ]
}

evals

scenario-8

criteria.json

task.md

tile.json