+=head2 CHECKLIST
+
+As a minimum you need to do all of the things on this checklist, where
+applicable. The items marked SECURITY are the ones that you might
+forget: without them your application may appear to work, but will be
+insecure.
+
+=over
+
+=item *
+
+Call C<new_verifier> (once at application startup)
+
+=item *
+
+Call C<new_request> (once per request)
+
+=item *
+
+B<SECURITY>: Call C<check_ok> or C<check_divert> on every request, and
+honour the return value.
+
+=item *
+
+If you're using C<check_ok>, implement either the
+C<username_password_error> or C<login_ok> hook.
+
+=item *
+
+Call C<get_username> when you need to know who's logged in.
+
+=item *
+
+B<SECURITY>: Call C<check_mutate> or C<mutate_ok>, if you specified
+C<promise_check_mutate>.
+
+=item *
+
+B<SECURITY>: Call C<check_nonpage> for every request which is not a page load
+(if your application has any of those).
+
+=item *
+
+When generating URLs and forms (including AJAX requests), include the
+hidden form parameter using C<secret_hidden_val> or
+C<secret_hidden_html> when appropriate (see below).
+
+=item *
+
+B<SECURITY>: If you do not override the source provision facility (see
+L</SOURCE CODE DOWNLOAD>), check that the assumptions it makes aren't
+going to leak security-critical data.
+
+=back
+
+These points will now be covered in more detail.
+