CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl-labs/springboot-security-basics

Security defaults that belong in every Spring Boot application from day one.

88

1.79x
Quality

83%

Does it follow best practices?

Impact

97%

1.79x

Average score across 5 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

criteria.jsonevals/scenario-1/

{
  "context": "Tests whether the agent proactively adds Spring Security configuration when building a blog API. The task mentions a cross-domain Next.js frontend and Kubernetes deployment as business context but does not ask for security hardening.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "SecurityFilterChain bean used",
      "description": "Security is configured via a @Bean SecurityFilterChain method using lambda DSL, NOT by extending WebSecurityConfigurerAdapter",
      "max_score": 15
    },
    {
      "name": "CORS configured with explicit origins",
      "description": "CORS is configured in the SecurityFilterChain with explicit allowed origins for the Next.js frontend (NOT allowedOrigins(\"*\"))",
      "max_score": 15
    },
    {
      "name": "Security headers configured",
      "description": "Security headers configured via HttpSecurity: frameOptions deny, content type options, HSTS with includeSubDomains",
      "max_score": 12
    },
    {
      "name": "CSRF disabled for stateless API",
      "description": "CSRF is disabled using lambda DSL csrf(csrf -> csrf.disable()) for this stateless API",
      "max_score": 8
    },
    {
      "name": "Rate limiting present",
      "description": "Rate limiting is applied to API endpoints via Bucket4j filter or equivalent",
      "max_score": 10
    },
    {
      "name": "Input validation with @Valid",
      "description": "@Valid on @RequestBody parameters and DTOs have validation annotations (@NotBlank, @Size for title/content)",
      "max_score": 12
    },
    {
      "name": "Global exception handler safe",
      "description": "GlobalExceptionHandler handles MethodArgumentNotValidException and general exceptions without leaking stack traces",
      "max_score": 10
    },
    {
      "name": "Slug validation",
      "description": "The slug path parameter is validated or sanitized before use",
      "max_score": 8
    },
    {
      "name": "CRUD endpoints functional",
      "description": "Blog CRUD endpoints are implemented with appropriate HTTP status codes",
      "max_score": 5
    },
    {
      "name": "Error stack traces not exposed",
      "description": "server.error.include-stacktrace=never is set or equivalent config prevents trace exposure",
      "max_score": 5
    }
  ]
}

evals

scenario-1

criteria.json

task.md

tile.json