CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl-labs/http-caching-strategy

HTTP caching for web APIs — Cache-Control headers, ETags, conditional requests,

88

25.00x
Quality

84%

Does it follow best practices?

Impact

100%

25.00x

Average score across 4 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

criteria.jsonevals/scenario-4/

{
  "context": "Tests whether the agent proactively adds appropriate cache headers to a SaaS dashboard API with mostly authenticated endpoints. The task says 'handle sensitive account data appropriately' but does NOT mention caching. A skilled agent should recognize that API keys and account data need no-store, while the public status endpoint is cacheable.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "Cache-Control on public status endpoint",
      "description": "GET /api/status sets a Cache-Control header — either 'public, max-age=N' or 'no-cache' depending on freshness needs",
      "max_score": 12
    },
    {
      "name": "no-store on user account endpoint",
      "description": "GET /api/me sets Cache-Control with 'no-store' since it returns sensitive user account data",
      "max_score": 16
    },
    {
      "name": "no-store on API keys endpoint",
      "description": "GET /api/me/api-keys sets Cache-Control with 'no-store' since API keys are highly sensitive credentials",
      "max_score": 16
    },
    {
      "name": "private on all authenticated endpoints",
      "description": "All authenticated endpoints (me, team, usage, api-keys) include 'private' in Cache-Control to prevent shared cache storage",
      "max_score": 12
    },
    {
      "name": "no-store on team and usage endpoints",
      "description": "GET /api/me/team and GET /api/me/usage set Cache-Control with 'no-store' or 'private, no-cache'",
      "max_score": 10
    },
    {
      "name": "Vary Authorization on auth endpoints",
      "description": "At least one authenticated endpoint sets Vary: Authorization",
      "max_score": 10
    },
    {
      "name": "no-store on POST response",
      "description": "POST /api/me/api-keys response sets Cache-Control with 'no-store'",
      "max_score": 8
    },
    {
      "name": "no-cache vs no-store distinction correct",
      "description": "The agent does NOT use 'no-cache' alone on endpoints returning API keys, tokens, or credentials — 'no-store' is required for sensitive data. Using no-cache on the status or team endpoints is acceptable, but API keys MUST use no-store.",
      "max_score": 16
    }
  ]
}

evals

scenario-4

criteria.json

task.md

tile.json