diff --git a/README.md b/README.md
index d0cdc0f..e1cca16 100644
--- a/README.md
+++ b/README.md
@@ -713,6 +713,7 @@ These are some basic security best practices:
     _Why:_
     > For instance, accepting the `application/x-www-form-urlencoded` mime type allows the attacker to create a form and trigger a simple POST request. The server should never assume the Content-Type. A lack of Content-Type header or an unexpected Content-Type header should result in the server rejecting the content with a `4XX` response.
 
+* Check the API Security Checklist Project. [read more...](https://github.com/shieldfy/API-Security-Checklist)
 
 <a name="api-documentation"></a>
 ### 9.3 API documentation