CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl-labs/springboot-security-basics

Security defaults that belong in every Spring Boot application from day one.

88

1.79x
Quality

83%

Does it follow best practices?

Impact

97%

1.79x

Average score across 5 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

criteria.jsonevals/scenario-4/

{
  "context": "Tests whether the agent proactively adds Spring Security configuration when building a task tracker API that does not mention security. The task mentions a cross-domain React frontend as a business context clue.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "SecurityFilterChain bean used",
      "description": "Security is configured via a @Bean SecurityFilterChain method using lambda DSL, NOT by extending WebSecurityConfigurerAdapter",
      "max_score": 15
    },
    {
      "name": "CORS configured with explicit origins",
      "description": "CORS is configured in the SecurityFilterChain with explicit allowed origins for the React frontend (NOT allowedOrigins(\"*\"))",
      "max_score": 15
    },
    {
      "name": "Security headers configured",
      "description": "Security headers configured via HttpSecurity headers(): frameOptions deny, content type options, HSTS",
      "max_score": 12
    },
    {
      "name": "CSRF disabled for stateless API",
      "description": "CSRF is disabled using lambda DSL for this stateless REST API",
      "max_score": 8
    },
    {
      "name": "Rate limiting on API routes",
      "description": "Rate limiting is applied to API endpoints using Bucket4j or a custom filter",
      "max_score": 10
    },
    {
      "name": "Input validation with @Valid",
      "description": "@Valid on @RequestBody parameters and CreateTaskRequest has validation annotations (@NotBlank for title, valid enum for priority)",
      "max_score": 12
    },
    {
      "name": "Query parameter validation",
      "description": "Query parameters (status, assignee) are validated before use rather than passed through raw",
      "max_score": 8
    },
    {
      "name": "Global exception handler",
      "description": "A @RestControllerAdvice handles validation errors and general exceptions without leaking stack traces",
      "max_score": 10
    },
    {
      "name": "CRUD endpoints functional",
      "description": "All task CRUD endpoints are implemented with appropriate HTTP status codes",
      "max_score": 5
    },
    {
      "name": "Lambda DSL throughout",
      "description": "All HttpSecurity configuration uses lambda DSL style, not deprecated chaining",
      "max_score": 5
    }
  ]
}

evals

scenario-4

criteria.json

task.md

tile.json