Is this still up to date?

[Aditya94A]

It's been almost a year since the last update, I was wondering whether any of the information is outdated or perhaps some best practices have evolved since last year?

[samsch]

This isn't actually different from 2016, but usually the recommended password hashing algorithms are (in this order) scrypt, bcrypt, and then PBKDF2.

I would personally have the bit about xss specifically recommend only using escape-by-default templating engines, as well as mentioning that validated user data should be stored as is, and then escaped by the mechanism which displays it (templating engine).

The list should probably recommend using HTTPS for all pages, not just those with sensitive data. This was true in 2016, but is more important now with more features being https-only, and browsers openly displaying warnings for http sites.