Domain 05 / 12
Cryptography & Transport security audit
Use strong, modern cryptography and lock down transport, cookies and security headers.
- 54 checks
- Passwords · CORS · CSP · Cookies · Headers · TLS · DNS
What securmyapp checks
Inside the Cryptography & Transport domain
This is the Cryptography & Transport domain of securmyapp — the free, open-source, 100% defensive security auditor for Claude Code that runs 598 checks across 12 domains. The Cryptography & Transport domain ensures secrets are protected in transit and at rest with modern primitives. securmyapp flags broken algorithms (MD5/SHA-1/DES/RC4), verifies password hashing with bcrypt/scrypt/Argon2, enforces AEAD encryption modes and CSPRNG randomness, and audits TLS configuration, HSTS, CORS, CSP, cookie flags and DNS hardening.
Coverage areas
54 atomic checks span these sub-domains.
Cryptography
Approved algorithms, AEAD modes, secure random, key management.
Passwords
bcrypt / scrypt / Argon2 hashing with salt and adequate cost.
TLS
TLS 1.2+ only, strong ciphers, certificate validation, PFS.
Headers
HSTS, CSP, X-Content-Type-Options and the security header set.
CORS & cookies
Strict CORS policy and Secure/HttpOnly/SameSite cookies.
Cache, CDN & DNS
Cache-control hygiene and DNS/CDN hardening.
Example checks
A sample of the real checks run in this domain — each mapped to a standard and a fix.
| Check | Severity | Detects | Reference |
|---|---|---|---|
| Password hashing (bcrypt/argon2) | Critical | Weak or missing password hashing — mass compromise on leak. | CWE-916 · A02:2021 · ASVS V6 |
| Approved cryptographic algorithms | High | Broken crypto: MD5, SHA-1, DES or RC4. | CWE-327 · A02:2021 |
| Secure encryption modes (AEAD) | High | ECB mode or reused IVs that leak plaintext structure. | CWE-327 · ASVS V11 |
| Secure random generation | High | Predictable tokens from a weak PRNG (e.g. Math.random). | CWE-338 · ASVS V11 |
| TLS configuration (versions) | High | Obsolete SSLv3 / TLS 1.0 / 1.1 enabling downgrade & MITM. | ASVS V12 · CIS · WSTG-CRYP-01 |
| Forced HTTP→HTTPS redirection | High | Cleartext traffic without redirection and HSTS. | CWE-319 · ASVS V12 |
Vulnerabilities we catch
- Passwords stored with weak or no hashing
- Broken algorithms (MD5/SHA-1/DES/RC4) and home-grown crypto
- ECB mode, reused IVs and non-constant-time secret comparison
- Predictable tokens from insecure random generation
- Obsolete TLS versions, weak ciphers and invalid certificates
- Missing HSTS, permissive CORS and unprotected cookies
How remediation works and standards
Detect → explain → fix → verify
How remediation works here
Every finding in this domain is explained in plain language with its reference, fixed with a concrete change to the exact file and line, committed as a reversible Git commit, then re-checked in a real browser against a healthy baseline — so a security fix never breaks your app.
Standards behind this domain
Mapped to recognized references
- OWASP WSTG
- OWASP ASVS 5.0
- OWASP API Top 10
- OWASP MASVS 2.1
- CIS Benchmarks
- MITRE ATT&CK
- CWE
FAQ
Cryptography & Transport — questions & answers
How does it check password storage?
It verifies passwords are hashed with bcrypt, scrypt or Argon2, using a salt and an appropriate cost factor — and flags plaintext storage or fast, unsuitable hashes like MD5/SHA-1.
Does it audit TLS and security headers?
Yes. It checks TLS 1.2+ enforcement, strong cipher suites, certificate validity and Perfect Forward Secrecy, plus HSTS, CSP, CORS policy and cookie flags on the running app.
What about weak randomness?
It flags non-cryptographic PRNGs (such as Math.random) used for tokens or secrets, and requires a CSPRNG so tokens cannot be predicted.
Related domains
Get started
Audit your app in the next five minutes
Install the plugin in Claude Code, then type /securmyapp in your project. The full audit starts on its own.
/plugin marketplace add mafady/securmyapp
/plugin install securmyapp@mafady-security
/reload-plugins
View on GitHub Browse the domains
Requires Node.js 18+, Claude Code, and a paid Claude subscription. Semgrep & Playwright recommended.