diff --git a/README.md b/README.md
index 54920e1..1f4db2f 100644
--- a/README.md
+++ b/README.md
@@ -38,8 +38,9 @@ Checklist of the most important security countermeasures when designing, testing
 - [ ] Validate `content-type` of posted data as you accept (e.g., `application/x-www-form-urlencoded`, `multipart/form-data`, `application/json`, etc.).
 - [ ] Validate user input to avoid common vulnerabilities (e.g., `XSS`, `SQL-Injection`, `Remote Code Execution`, etc.).
 - [ ] Don't use any sensitive data (`credentials`, `Passwords`, `security tokens`, or `API keys`) in the URL, but use standard Authorization header.
+- [ ] Use an API Gateway service to enable caching, Rate Limit policies (e.g. `Quota`, `Spike Arrest`, or `Concurrent Rate Limit`) and deploy APIs resources dynamically.
+- [ ] Use API signature to prevent some guy testing manually or automatically
 - [ ] Use only server-side encryption.
-- [ ] Use an API Gateway service to enable caching, Rate Limit policies (e.g., `Quota`, `Spike Arrest`, or `Concurrent Rate Limit`) and deploy APIs resources dynamically.
 
 ## Processing
 - [ ] Check if all the endpoints are protected behind authentication to avoid broken authentication process.
@@ -50,6 +51,7 @@ Checklist of the most important security countermeasures when designing, testing
 - [ ] Use a CDN for file uploads.
 - [ ] If you are dealing with huge amount of data, use Workers and Queues to process as much as possible in background and return response fast to avoid HTTP Blocking.
 - [ ] Do not forget to turn the DEBUG mode OFF.
+- [ ] Make sure id send via params/query string (uid, cid... for example) is owned by user requested API to prevent IODR
 - [ ] Use non-executable stacks when available.
 
 ## Output