This is the checklist focused on pen-testing(dynamic assessment) of web applications, while most of the items can be also assessed by code auditing.
The checklist is based on the OWASP testing guide V4. Some items that are not practically helpful to assess security(e.g. finding security vulnerabilities) are excluded, because they refer to processes(e.g. using proxy) or provide high-level concepts(e.g. persistent attacks), or contains subjective issues (e.g. weak password or security questions)