Definition

Is any data transmitted in clear text? This concerns protocols such as HTTP, SMTP, and FTP. External internet traffic is especially dangerous. Verify all internal traffic e.g. between load balancers, web servers, or back-end systems.
Are any old or weak cryptographic algorithms used either by default or in older code?
Are default crypto keys in use, weak crypto keys generated or re-used, or is proper key management or rotation missing?
Is encryption not enforced, e.g. are any user agent (browser) security directives or headers missing?
Does the user agent (e.g. app, mail client) not verify if the received server certificate is valid?

Example

.kdbx : key storage

Always look in all the response, search for password - key - credentials etc

strict transport security : must be actived securityheader.com

Test ssl ciphers : nmap --script=ssl-enum-ciphers -p 443 <url>