{
  "context": "This criteria evaluates how well the engineer uses koa-helmet's Content Security Policy (CSP) functionality to configure security headers. The focus is on proper usage of helmet.contentSecurityPolicy() with appropriate directive configurations to meet the specified security requirements.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "Uses helmet.contentSecurityPolicy",
      "description": "Solution imports and uses helmet.contentSecurityPolicy() method to configure CSP headers",
      "max_score": 20
    },
    {
      "name": "Configures defaultSrc directive",
      "description": "Sets defaultSrc to [\"'self'\"] in the directives configuration object",
      "max_score": 10
    },
    {
      "name": "Configures scriptSrc directive",
      "description": "Sets scriptSrc to include \"'self'\" and \"https://cdn.example.com\" (or cdn.example.com) in the directives configuration",
      "max_score": 15
    },
    {
      "name": "Configures imgSrc directive",
      "description": "Sets imgSrc to allow all sources using [\"*\"] in the directives configuration",
      "max_score": 10
    },
    {
      "name": "Configures styleSrc directive",
      "description": "Sets styleSrc to include \"'self'\" and \"'unsafe-inline'\" in the directives configuration",
      "max_score": 15
    },
    {
      "name": "Configures objectSrc directive",
      "description": "Sets objectSrc to [\"'none'\"] to block all object embeds in the directives configuration",
      "max_score": 10
    },
    {
      "name": "Configures connectSrc directive",
      "description": "Sets connectSrc to include \"'self'\" and \"https://api.example.com\" (or api.example.com) in the directives configuration",
      "max_score": 15
    },
    {
      "name": "Returns Koa middleware",
      "description": "The function returns the result of helmet.contentSecurityPolicy() which is a valid Koa middleware function",
      "max_score": 5
    }
  ]
}