Which OWASP version does this cover?

It covers the OWASP Top 10 2021 edition, with all ten categories from A01 Broken Access Control through A10 Server-Side Request Forgery. Each category has two or three representative control checks drawn from common review findings.

Where is my progress stored?

Your pass, fail, and N-A choices are saved in your browser localStorage on the same device and browser. Nothing is sent to a server, so the audit stays private, but it will not sync across devices.

How is the pass rate calculated?

The percentage is computed over items you marked pass or fail, ignoring untouched and N-A items. That way the score reflects only the controls you actually assessed, rather than penalising items that do not apply to your system.

Is passing every item enough to be secure?

No. This is a structured self-audit to catch obvious gaps before a formal review, not a substitute for penetration testing or a code audit. Treat a clean checklist as readiness to be tested, not proof of security.

Can I reset the checklist?

Yes. The reset button clears every choice and removes the saved state from localStorage, giving you a fresh checklist for the next system or release you want to assess.

OWASP Top 10 Self-Audit Checklist

The OWASP Top 10 is the industry baseline for web application security risks. This checklist turns the 2021 edition into a structured, resumable self-audit so you can walk a system through each category before booking a formal penetration test, and hand engineering specific fixes for anything that fails.

How it works

The checklist groups controls under all ten 2021 categories, from A01 Broken Access Control to A10 Server-Side Request Forgery. For each item you mark Pass, Fail, or N/A:

Marking an item Fail reveals a short remediation note describing the concrete fix, for example using parameterized queries for injection or rotating session IDs on login.
The running tally shows how many items pass, fail, are N/A, or are still unset, plus a pass rate computed only over the items you scored.
Every change is written to your browser localStorage, so you can close the tab and resume the same audit later on the same device.

Tips and notes

Use N/A honestly for controls that genuinely do not apply (for example SSRF controls in a system that never fetches user-supplied URLs). The pass rate ignores N/A items so it is not skewed.
A clean checklist signals readiness to be tested, not a guarantee of security. Pair it with dependency scanning, SAST in CI, and a real penetration test for anything customer-facing.
The reset button clears all stored progress so you can reuse the checklist for another service or release.
Nothing is uploaded. The entire audit lives in your browser.