Fix some broken documentation links (#12794)

docs/development/pull-requests.md

@@ -12,10 +12,10 @@
   * [Step 6: Rebase](#step-6-rebase)
   * [Step 7: Test](#step-7-test)
   * [Step 8: Push](#step-8-push)
-  * [Step 9: Opening the Pull Request](#step-8-opening-the-pull-request)
-  * [Step 10: Discuss and Update](#step-9-discuss-and-update)
+  * [Step 9: Opening the Pull Request](#step-9-opening-the-pull-request)
+  * [Step 10: Discuss and Update](#step-10-discuss-and-update)
     * [Approval and Request Changes Workflow](#approval-and-request-changes-workflow)
-  * [Step 11: Landing](#step-10-landing)
+  * [Step 11: Landing](#step-11-landing)
   * [Continuous Integration Testing](#continuous-integration-testing)
 
 ## Setting up your local environment

docs/tutorial/security.md

@@ -69,18 +69,18 @@ either `process.env` or the `window` object.
 This is not bulletproof, but at the least, you should follow these steps to
 improve the security of your application.
 
-1. [Only load secure content](#only-load-secure-content)
-2. [Disable the Node.js integration in all renderers that display remote content](#disable-node.js-integration-for-remote-content)
-3. [Enable context isolation in all renderers that display remote content](#enable-context-isolation-for-remote-content)
-4. [Use `ses.setPermissionRequestHandler()` in all sessions that load remote content](#handle-session-permission-requests-from-remote-content)
-5. [Do not disable `webSecurity`](#do-not-disable-websecurity)
-6. [Define a `Content-Security-Policy`](#define-a-content-security-policy) and use restrictive rules (i.e. `script-src 'self'`)
-7. [Override and disable `eval`](#override-and-disable-eval), which allows strings to be executed as code.
-8. [Do not set `allowRunningInsecureContent` to `true`](#do-not-set-allowRunningInsecureContent-to-true)
-9. [Do not enable experimental features](#do-not-enable-experimental-features)
-10. [Do not use `blinkFeatures`](#do-not-use-blinkfeatures)
-11. [WebViews: Do not use `allowpopups`](#do-not-use-allowpopups)
-12. [WebViews: Verify the options and params of all `<webview>` tags](#verify-webview-options-before-creation)
+1. [Only load secure content](#1-only-load-secure-content)
+2. [Disable the Node.js integration in all renderers that display remote content](#-2-disable-nodejs-integration-for-remote-content)
+3. [Enable context isolation in all renderers that display remote content](#-3-enable-context-isolation-for-remote-content)
+4. [Use `ses.setPermissionRequestHandler()` in all sessions that load remote content](#-4-handle-session-permission-requests-from-remote-content)
+5. [Do not disable `webSecurity`](#-5-do-not-disable-websecurity)
+6. [Define a `Content-Security-Policy`](#-6-define-a-content-security-policy) and use restrictive rules (i.e. `script-src 'self'`)
+7. [Override and disable `eval`](#-7-override-and-disable-eval), which allows strings to be executed as code.
+8. [Do not set `allowRunningInsecureContent` to `true`](#-8-do-not-set-allowrunninginsecurecontent-to-true)
+9. [Do not enable experimental features](#-9-do-not-enable-experimental-features)
+10. [Do not use `blinkFeatures`](#-10-do-not-use-blinkfeatures)
+11. [WebViews: Do not use `allowpopups`](#-11-do-not-use-allowpopups)
+12. [WebViews: Verify the options and params of all `<webview>` tags](#-12-verify-webview-options-before-creation)
 
 
 ## 1) Only Load Secure Content
@@ -401,7 +401,7 @@ subsequent resources via `HTTP` is also known as "mixed content".
 
 Simply put, loading content over `HTTPS` assures the authenticity and integrity
 of the loaded resources while encrypting the traffic itself. See the section on
-[only displaying secure content](#only-display-secure-content) for more details.
+[only displaying secure content](#1-only-load-secure-content) for more details.
 
 ### How?