Maybe you already know this stuff but maybe some of it is new or as a collection it's something you find useful enough to share with someone you think needs it. Anyway, a few basic recommendations:
Don't give out personal information to people you don't know (online, over the phone, or in person). This can include phone number, address, full names and personal social media accounts. Don't underestimate what someone can do with seemingly harmless information, especially with all of the people finder type websites available in the US.
Enable two-factor authentication where possible. This is almost a given nowadays but you can add to this by making sure you use an authenticator app which rotating pin rather than one that gets SMS/texted to you, and where possible modern authentication that provides an approve/deny prompt is even more secure.
Use strong passwords. Not patterns. Not simple passwords with letters switched out for numbers or characters. Passphrases are more secure and easier to remember. Personal biases make them easier to guess so avoid movies, books, and song titles, and use diceware if possible, which generates random words to make your phrase. Use spaces where possible as it adds entropy.
Use a password manager where possible. All of them have their issues, have been hacked or exploited in some way, but they are still in every way superior to recycling passwords, simple passwords, or recording them in a spreadsheet.
Use a secure search engine for anything you don't want tracked, such as DuckDuckGo.
Use a privacy-oriented browser, such as Firefox or Brave.
Use encrypted messaging where possible. SMS to SMS is not encrypted. iMessage is. WhatsApp is but as they are now owned by Facebook, who knows. Signal is the golden standard of secure messaging. Telegram, Line, Wickr, Wire, ChatSecure and Confide are a few more options.
If using public / unsecured wireless, such as at a cafe or library, use a VPN where possible to encrypt your communications inside of the public and open wireless.
Although HTTPS is always better than HTTP, don't put absolute faith in HTTPS either. Bad actors can also get domain verification and certificates, all the more so with third-party sellers of certification authorities like Comodo and things like OpenSSL.
Haveibeenpwned is a useful website that will let you know if your email has been a part of any known security breaches. You can also sign up for alerts.