This post is a reasonable start, but has some errors and omissions - and is now out of date since the OWASP Top 10 update.<p>A few suggested improvements:<p>Update to use OWASP Top 10 2017 <a href="https://www.owasp.org/index.php/Top_10-2017_Top_10" rel="nofollow">https://www.owasp.org/index.php/Top_10-2017_Top_10</a><p>Incorporate OWASP Top 10 Proactive controls <a href="https://www.owasp.org/index.php/OWASP_Proactive_Controls" rel="nofollow">https://www.owasp.org/index.php/OWASP_Proactive_Controls</a><p>XSS Section refers only to stored XSS. Describe reflected XSS as well. Describe DOM-based XSS and mitigations.<p>Provide some examples of Security Misconfiguration<p>Provide advice on <i>how</i> to keep software patched for security flaws<p>The post says "Use HTTPS if you can". HTTPS is not optional for web security.