CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl-labs/springboot-security-basics

Security defaults that belong in every Spring Boot application from day one.

88

1.79x
Quality

83%

Does it follow best practices?

Impact

97%

1.79x

Average score across 5 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

criteria.jsonevals/scenario-3/

{
  "context": "Tests whether the agent proactively adds Spring Security configuration when building a product catalog API that does not mention security. The task mentions a cross-domain Vue.js frontend and nginx reverse proxy as business context clues.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "SecurityFilterChain bean used",
      "description": "Security is configured via a @Bean SecurityFilterChain method, NOT by extending WebSecurityConfigurerAdapter",
      "max_score": 15
    },
    {
      "name": "CORS configured with explicit origins",
      "description": "CORS is configured in the SecurityFilterChain with explicit allowed origins for the Vue.js storefront (NOT allowedOrigins(\"*\") or missing CORS config)",
      "max_score": 15
    },
    {
      "name": "Security headers configured",
      "description": "Security headers are configured via HttpSecurity headers(): frameOptions deny, content type options nosniff, HSTS",
      "max_score": 12
    },
    {
      "name": "CSRF disabled for stateless API",
      "description": "CSRF is disabled using lambda DSL since this is a stateless REST API",
      "max_score": 8
    },
    {
      "name": "Rate limiting on API routes",
      "description": "Rate limiting is applied to API endpoints using Bucket4j or a custom filter",
      "max_score": 12
    },
    {
      "name": "Input validation with @Valid",
      "description": "@Valid is used on @RequestBody parameters and CreateProductRequest has validation annotations (@NotBlank, @Min for price, @Size, etc.)",
      "max_score": 12
    },
    {
      "name": "Query parameter validation",
      "description": "The sort query parameter on GET /api/products is validated against an allowlist of fields rather than accepted raw",
      "max_score": 8
    },
    {
      "name": "CRUD endpoints functional",
      "description": "All CRUD endpoints for products are implemented and return appropriate HTTP status codes",
      "max_score": 8
    },
    {
      "name": "Global exception handler",
      "description": "A @RestControllerAdvice handles validation errors and general exceptions without leaking stack traces",
      "max_score": 10
    }
  ]
}

evals

scenario-3

criteria.json

task.md

tile.json