Test fixture

Sec-Session-Replay-Token-Binding

Securityv2 — Resiliencehardscorer: rubric_json_metrics

Secure code changes, vulnerability recognition, and safe defaults.

How it is scored

The model receives the prompt (and optional system message). The run uses scorer rubric_json_metrics with the JSON configuration below. Pass/fail and partial credit are determined entirely by that scorer against the model output; no human grading.

User prompt

Return JSON only with keys verdict, risk, mitigation. Bearer session tokens remain valid after theft because there is no replay detection, token rotation, or device binding for high-risk actions.

Scorer config

{
  "metrics": {
    "correct": {
      "checks": [
        {
          "contains": [
            "session replay"
          ]
        },
        {
          "contains": [
            "bearer token"
          ]
        },
        {
          "contains": [
            "theft"
          ]
        }
      ]
    },
    "hidden": {
      "checks": [
        {
          "contains": [
            "rotation"
          ]
        },
        {
          "contains": [
            "device binding"
          ]
        },
        {
          "contains": [
            "step-up"
          ]
        }
      ]
    }
  }
}

Run parameters

temperature

max_tokens

560

timeout (s)

120

type

scored

file

sec-session-replay-token-binding.json

← PreviousSec-Session-Fixation-Detector

Next →Sec-Sql-Injection-Detector