diff --git a/.wordlist-en.txt b/.wordlist-en.txt
index 6db16963..cc6db5e0 100644
--- a/.wordlist-en.txt
+++ b/.wordlist-en.txt
@@ -524,11 +524,13 @@ wstg
 wtf
 www
 xsaero
-
 Roxana
 Amauri
 Bizerra
 Ebihara
 Yuuki
+svn
+git
 BOPLA
 BOLA
+WebDAV
diff --git a/docs/en/04-design/02-web-app-checklist/01-define-security-requirements.md b/docs/en/04-design/02-web-app-checklist/01-define-security-requirements.md
index 9a354bf8..1ed1f4ef 100644
--- a/docs/en/04-design/02-web-app-checklist/01-define-security-requirements.md
+++ b/docs/en/04-design/02-web-app-checklist/01-define-security-requirements.md
@@ -14,6 +14,21 @@ and use the lists below as suggestions for a checklist that has been tailored fo
 5. The security configuration store for the application should be available in human readable form to support auditing
 6. Isolate development environments from production and provide access only to authorized development and test groups
 7. Implement a software change control system to manage and record changes to the code both in development and production
+8. Turn off directory listings
+9. Prevent accidentally accessible and sensitive pages from appearing in search engines using a robots.txt file,
+   the X-Robots-Tag response header or a robots html meta tag
+10. Disable unnecessary HTTP methods, such as WebDAV extensions. If an extended HTTP method that supports file handling is
+    required, utilize a well-vetted authentication mechanism
+11. Remove unnecessary information from HTTP response headers related to the OS, web-server version and application
+    frameworks unless implemented to confuse an attacker
+12. Ensure the .git, .svn folders or any source control metadata aren't deployed together alongside the application in away
+   that makes these directly accessible externally or indirectly through the application
+13. Do not store passwords, secrets, connection strings, key material, secret management integrations or other sensitive
+   information in clear text or in any non-cryptographically secure manner on the client, in source code, or build artifacts
+14. Remove or restrict access to internal application and system documentation (such as for internal APIs) as this can reveal
+    backend system or other useful information to attackers
+15. Restrict access to files or other resources, including those outside the application's direct control using an allow list
+   or the equivalent thereof.
 
 #### 2. Cryptographic practices