CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl-labs/springboot-security-basics

Security defaults that belong in every Spring Boot application from day one.

88

1.79x
Quality

83%

Does it follow best practices?

Impact

97%

1.79x

Average score across 5 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

criteria.jsonevals/scenario-5/

{
  "context": "Tests whether the agent proactively applies Spring Security best practices when building a user management API. The task mentions a cross-domain React SPA and load balancer as business context clues but does not explicitly ask for security hardening.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "SecurityFilterChain bean used",
      "description": "Security is configured via a @Bean SecurityFilterChain method, NOT by extending WebSecurityConfigurerAdapter",
      "max_score": 12
    },
    {
      "name": "CORS configured with explicit origins",
      "description": "CORS is configured in the SecurityFilterChain with explicit allowed origins for the React SPA (NOT allowedOrigins(\"*\") or no CORS config)",
      "max_score": 12
    },
    {
      "name": "BCryptPasswordEncoder for passwords",
      "description": "A PasswordEncoder bean (BCryptPasswordEncoder) is defined and used to hash passwords on registration and verify on login. Passwords are never stored in plain text.",
      "max_score": 15
    },
    {
      "name": "CSRF disabled for stateless API",
      "description": "CSRF is disabled using lambda DSL csrf(csrf -> csrf.disable()) since this is a stateless API",
      "max_score": 8
    },
    {
      "name": "Rate limiting on auth endpoints",
      "description": "Rate limiting is applied to auth endpoints (login, register) to prevent brute force attacks",
      "max_score": 10
    },
    {
      "name": "Security headers configured",
      "description": "Security headers are configured in HttpSecurity: frameOptions deny, content type options, HSTS",
      "max_score": 10
    },
    {
      "name": "Input validation with @Valid",
      "description": "@Valid is used on @RequestBody parameters and DTOs have validation annotations (@NotBlank, @Email, @Size)",
      "max_score": 10
    },
    {
      "name": "Role-based access control",
      "description": "Admin endpoints are protected with role-based access (via authorizeHttpRequests or @PreAuthorize) so only ADMIN users can access /api/users list and delete",
      "max_score": 8
    },
    {
      "name": "Password not in responses",
      "description": "User responses do not include the password or password hash in JSON response bodies",
      "max_score": 8
    },
    {
      "name": "Global exception handler",
      "description": "A @RestControllerAdvice or equivalent handles exceptions and never leaks stack traces to the client",
      "max_score": 7
    }
  ]
}

evals

scenario-5

criteria.json

task.md

tile.json