Domain 05 / 12

Cryptography & Transport security audit

Use strong, modern cryptography and lock down transport, cookies and security headers.

  • 54 checks
  • Passwords · CORS · CSP · Cookies · Headers · TLS · DNS

Run the audit See example checks

What securmyapp checks

Inside the Cryptography & Transport domain

This is the Cryptography & Transport domain of securmyapp — the free, open-source, 100% defensive security auditor for Claude Code that runs 598 checks across 12 domains. The Cryptography & Transport domain ensures secrets are protected in transit and at rest with modern primitives. securmyapp flags broken algorithms (MD5/SHA-1/DES/RC4), verifies password hashing with bcrypt/scrypt/Argon2, enforces AEAD encryption modes and CSPRNG randomness, and audits TLS configuration, HSTS, CORS, CSP, cookie flags and DNS hardening.

Coverage areas

54 atomic checks span these sub-domains.

  • Cryptography

    Approved algorithms, AEAD modes, secure random, key management.

  • Passwords

    bcrypt / scrypt / Argon2 hashing with salt and adequate cost.

  • TLS

    TLS 1.2+ only, strong ciphers, certificate validation, PFS.

  • Headers

    HSTS, CSP, X-Content-Type-Options and the security header set.

  • CORS & cookies

    Strict CORS policy and Secure/HttpOnly/SameSite cookies.

  • Cache, CDN & DNS

    Cache-control hygiene and DNS/CDN hardening.

Example checks

A sample of the real checks run in this domain — each mapped to a standard and a fix.

Example Cryptography & Transport security checks with severity, what they detect, and their standard reference.
CheckSeverityDetectsReference
Password hashing (bcrypt/argon2)CriticalWeak or missing password hashing — mass compromise on leak.CWE-916 · A02:2021 · ASVS V6
Approved cryptographic algorithmsHighBroken crypto: MD5, SHA-1, DES or RC4.CWE-327 · A02:2021
Secure encryption modes (AEAD)HighECB mode or reused IVs that leak plaintext structure.CWE-327 · ASVS V11
Secure random generationHighPredictable tokens from a weak PRNG (e.g. Math.random).CWE-338 · ASVS V11
TLS configuration (versions)HighObsolete SSLv3 / TLS 1.0 / 1.1 enabling downgrade & MITM.ASVS V12 · CIS · WSTG-CRYP-01
Forced HTTP→HTTPS redirectionHighCleartext traffic without redirection and HSTS.CWE-319 · ASVS V12

Vulnerabilities we catch

  • Passwords stored with weak or no hashing
  • Broken algorithms (MD5/SHA-1/DES/RC4) and home-grown crypto
  • ECB mode, reused IVs and non-constant-time secret comparison
  • Predictable tokens from insecure random generation
  • Obsolete TLS versions, weak ciphers and invalid certificates
  • Missing HSTS, permissive CORS and unprotected cookies

How remediation works and standards

Detect → explain → fix → verify

How remediation works here

Every finding in this domain is explained in plain language with its reference, fixed with a concrete change to the exact file and line, committed as a reversible Git commit, then re-checked in a real browser against a healthy baseline — so a security fix never breaks your app.

Standards behind this domain

Mapped to recognized references

  • OWASP WSTG
  • OWASP ASVS 5.0
  • OWASP API Top 10
  • OWASP MASVS 2.1
  • CIS Benchmarks
  • MITRE ATT&CK
  • CWE

FAQ

Cryptography & Transport — questions & answers

How does it check password storage?

It verifies passwords are hashed with bcrypt, scrypt or Argon2, using a salt and an appropriate cost factor — and flags plaintext storage or fast, unsuitable hashes like MD5/SHA-1.

Does it audit TLS and security headers?

Yes. It checks TLS 1.2+ enforcement, strong cipher suites, certificate validity and Perfect Forward Secrecy, plus HSTS, CSP, CORS policy and cookie flags on the running app.

What about weak randomness?

It flags non-cryptographic PRNGs (such as Math.random) used for tokens or secrets, and requires a CSPRNG so tokens cannot be predicted.

Get started

Audit your app in the next five minutes

Install the plugin in Claude Code, then type /securmyapp in your project. The full audit starts on its own.

Claude Code — one-time setup
/plugin marketplace add mafady/securmyapp
/plugin install securmyapp@mafady-security
/reload-plugins

View on GitHub Browse the domains

Requires Node.js 18+, Claude Code, and a paid Claude subscription. Semgrep & Playwright recommended.