A02: Cryptographic Failures
Being a full stack developer, I try my best to make my web apps scalable and secure. The security of a web app not only shows its ability to defend and survive hacking attacks, but it also enables one to learn the connection and intersection of different domains of knowledge and skills that actually happen at many stages in the development journey.
Enforcing HTTPS
In OWASP A02 (Cryptographic Failures), I explored how to perform vulnerability remediation and apply fixes. The enforcement of HTTPS, proper TLS usage, encryption of data, and secure hashing methods are all part of this A02 practice.
I started exploring and found out about the express-sslify module, which helps enforce HTTPS so that requests sent by clients are only accepted over HTTPS, responding with a 301 redirect if not.
I used the module in my server file:
app.set('trust proxy', 1);
This allows the app to apply settings for trusting the proxy headers.We need this because deployment services (CaaS platforms) like Render, which I used, rely on reverse proxies such as Nginx or Cloudflare. Locally, the backend (Node.js) starts the server via HTTP, and the reverse proxy provides HTTPS to the client, forwarding it back to the HTTP routes internally.
if (process.env.NODE_ENV === 'production') {
app.use(enforce.HTTPS({ trustProtoHeader: true }));
}
With this code, HTTPS is enforced. It checks the request protocol, and if the initial client request is not HTTPS, it issues a 301 redirect to the correct HTTPS URL.
Checking With curl -I
curl -I http://alphaconnecthub.onrender.com/profile/getProfiles
Response:
HTTP/1.1 301 Moved Permanently
Date: Thu, 04 Sep 2025 21:47:14 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Location: https://alphaconnecthub.onrender.com/profile/getProfiles
cf-cache-status: DYNAMIC
Server: cloudflare
Using Argon2 Over BcryptJS for Better Hashing
For password hashing, I used Argon2 instead of BcryptJS:
const hashedPassword = await argon2.hash(password, {
type: argon2.argon2id,
memoryCost: 2 ** 16,
timeCost: 3,
parallelism: 1,
});
Why Argon2?
- OWASP recommends Argon2 as one of the strongest password-hashing algorithms.
- It is memory-hard (resistant to GPU/ASIC brute-force attacks).
- It provides stronger defense against modern cracking attempts compared to Bcrypt.
Why Not Scrypt?
During my exploration of hashing methods, i also came across scrypt. It is a memory-hard algorithm and is even used in some cryptocurrencies like Litecoin and Dogecoin because of its ability to make large scale hardware attacks expensive. Scrypt is definitely stronger than older methods like Bcrypt in many cases.
But When i compared it with argon2, i found that argon2 is the more modern and recommended option. Argon2 was the winner of the Password Hashing Competition and is recommended by OWAPS and NIST. It gives better protection against side-channel attacks and has more flexible settings like memory usage, time cost, and parallelism.
So while scrypt is still secure, i decided to use argon2 in my project because it is the latest best practice for password hashing and aligns with security standards.
Hiding Auth Token Names (Cookies) in Environment Variables
I wrote the token names in the .env file. These are used when storing and issuing auth tokens, making it more difficult for attackers to inspect an active logged-in session and guess cookies/tokens.
Enabling HTTP-Only Flag in Cookies
Finally, I enabled the HTTPOnly flag when setting cookies. This disables JavaScript access, which prevents cookie theft or manipulation by malicious scripts.
Top comments (0)