CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl-labs/springboot-security-basics

Security defaults that belong in every Spring Boot application from day one.

88

1.79x
Quality

83%

Does it follow best practices?

Impact

97%

1.79x

Average score across 5 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

criteria.jsonevals/scenario-2/

{
  "context": "Tests whether the agent proactively applies comprehensive Spring Security when building a booking system with authentication. The task mentions user auth and admin roles but does not explicitly ask for security hardening measures like rate limiting, security headers, or BCrypt.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "SecurityFilterChain bean used",
      "description": "Security is configured via a @Bean SecurityFilterChain method using lambda DSL, NOT by extending WebSecurityConfigurerAdapter",
      "max_score": 10
    },
    {
      "name": "CORS configured with explicit origins",
      "description": "CORS is configured in SecurityFilterChain with explicit allowed origins for the Angular frontend (NOT allowedOrigins(\"*\"))",
      "max_score": 10
    },
    {
      "name": "BCryptPasswordEncoder for passwords",
      "description": "A PasswordEncoder bean (BCryptPasswordEncoder) is defined and used to hash passwords on registration and verify on login. Passwords never stored in plain text.",
      "max_score": 15
    },
    {
      "name": "CSRF disabled for stateless API",
      "description": "CSRF disabled using lambda DSL for this stateless REST API",
      "max_score": 6
    },
    {
      "name": "Rate limiting on auth endpoints",
      "description": "Rate limiting is applied with stricter limits on auth endpoints (login, register) to prevent brute force",
      "max_score": 12
    },
    {
      "name": "Security headers configured",
      "description": "Security headers configured: frameOptions deny, content type options, HSTS",
      "max_score": 8
    },
    {
      "name": "Input validation with @Valid",
      "description": "@Valid on @RequestBody parameters with validation annotations on DTOs",
      "max_score": 10
    },
    {
      "name": "Role-based access control",
      "description": "Admin endpoints (/api/admin/**) are protected with role-based access via authorizeHttpRequests or @PreAuthorize",
      "max_score": 10
    },
    {
      "name": "Password not in responses",
      "description": "User responses do not include the password or password hash in JSON",
      "max_score": 7
    },
    {
      "name": "Booking ownership enforcement",
      "description": "DELETE /api/bookings/{id} verifies the current user owns the booking or has admin role before allowing cancellation",
      "max_score": 6
    },
    {
      "name": "Global exception handler",
      "description": "Exception handler returns safe error responses without leaking stack traces",
      "max_score": 6
    }
  ]
}

evals

scenario-2

criteria.json

task.md

tile.json