tessl/npm-koa-helmet

Security header middleware collection for Koa applications that wraps Helmet.js

1.04x

Overview

Eval results

Files

{
  "context": "This evaluation assesses how effectively the engineer uses koa-helmet to implement per-route security configurations. The focus is on proper usage of helmet middleware functions with appropriate options for different security tiers.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "Route-specific helmet application",
      "description": "Uses helmet() middleware separately for each route group (/public/*, /api/*, /admin/*) with distinct configurations rather than applying a single global configuration",
      "max_score": 25
    },
    {
      "name": "CSP configuration",
      "description": "Properly configures helmet.contentSecurityPolicy() or helmet() with contentSecurityPolicy options for each route: public routes allow imgSrc from any domain and unsafe-inline in styleSrc; api routes use strict self-only directives; admin routes use strict self-only with no unsafe sources",
      "max_score": 25
    },
    {
      "name": "HSTS configuration",
      "description": "Correctly configures helmet.hsts() or helmet() with hsts options for each route with appropriate maxAge values: public routes use 7776000 seconds; api routes use 15552000 seconds with includeSubDomains; admin routes use 31536000 seconds with includeSubDomains and preload enabled",
      "max_score": 20
    },
    {
      "name": "Frameguard configuration",
      "description": "Properly configures helmet.frameguard() or helmet() with frameguard options: public routes use action 'sameorigin'; api and admin routes use action 'deny'",
      "max_score": 15
    },
    {
      "name": "Additional security policies",
      "description": "Configures additional security middlewares for admin routes: helmet.referrerPolicy() with policy 'no-referrer' and helmet.crossOriginOpenerPolicy() with policy 'same-origin'; configures helmet.dnsPrefetchControl() with allow false for api routes",
      "max_score": 10
    },
    {
      "name": "Koa integration",
      "description": "Correctly integrates helmet middleware into Koa using app.use() and properly chains with koa-router for route-specific application, ensuring middleware is applied in the correct order",
      "max_score": 5
    }
  ]
}

Install with Tessl CLI

npx tessl i tessl/npm-koa-helmet

tessl/npm-koa-helmet

rubric.json.css-3qkkll{font-size:var(--chakra-font-sizes-sm);font-weight:var(--chakra-font-weights-normal);color:var(--chakra-colors-gray-300);}evals/scenario-6/

rubric.jsonevals/scenario-6/