diff --git a/controllers/TicketController.php b/controllers/TicketController.php
index 60eabc7..aef723f 100644
--- a/controllers/TicketController.php
+++ b/controllers/TicketController.php
@@ -75,6 +75,18 @@ class TicketController {
 
         // Check if form was submitted
         if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+            // Validate CSRF token
+            require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';
+            $csrfToken = $_POST['csrf_token'] ?? '';
+            if (!CsrfMiddleware::validateToken($csrfToken)) {
+                $error = "Invalid or expired security token. Please try again.";
+                $templates = $this->templateModel->getAllTemplates();
+                $allUsers = $this->userModel->getAllUsers();
+                $conn = $this->conn;
+                include dirname(__DIR__) . '/views/CreateTicketView.php';
+                return;
+            }
+
             // Handle visibility groups (comes as array from checkboxes)
             $visibilityGroups = null;
             if (isset($_POST['visibility_groups']) && is_array($_POST['visibility_groups'])) {
diff --git a/index.php b/index.php
index a6bebb5..305f978 100644
--- a/index.php
+++ b/index.php
@@ -242,7 +242,9 @@ switch (true) {
         $params = [];
         $types = '';
 
-        if (!empty($_GET['action_type'])) {
+        $allowedActionTypes = ['create','update','delete','comment','assign','status_change','login','security',
+                               'ticket_create','ticket_update','ticket_delete','attachment_delete','attachment_upload'];
+        if (!empty($_GET['action_type']) && in_array($_GET['action_type'], $allowedActionTypes, true)) {
             $whereConditions[] = "al.action_type = ?";
             $params[] = $_GET['action_type'];
             $types .= 's';
@@ -252,15 +254,15 @@ switch (true) {
             $whereConditions[] = "al.user_id = ?";
             $params[] = (int)$_GET['user_id'];
             $types .= 'i';
-            $filters['user_id'] = $_GET['user_id'];
+            $filters['user_id'] = (int)$_GET['user_id'];
         }
-        if (!empty($_GET['date_from'])) {
+        if (!empty($_GET['date_from']) && preg_match('/^\d{4}-\d{2}-\d{2}$/', $_GET['date_from'])) {
             $whereConditions[] = "DATE(al.created_at) >= ?";
             $params[] = $_GET['date_from'];
             $types .= 's';
             $filters['date_from'] = $_GET['date_from'];
         }
-        if (!empty($_GET['date_to'])) {
+        if (!empty($_GET['date_to']) && preg_match('/^\d{4}-\d{2}-\d{2}$/', $_GET['date_to'])) {
             $whereConditions[] = "DATE(al.created_at) <= ?";
             $params[] = $_GET['date_to'];
             $types .= 's';
diff --git a/views/CreateTicketView.php b/views/CreateTicketView.php
index fe9e45b..1db774a 100644
--- a/views/CreateTicketView.php
+++ b/views/CreateTicketView.php
@@ -35,6 +35,9 @@ include __DIR__ . '/layout_header.php';
       class="create-ticket-form"
       novalidate>
 
+  <input type="hidden" name="csrf_token"
+         value="<?= htmlspecialchars(CsrfMiddleware::getToken(), ENT_QUOTES, 'UTF-8') ?>">
+
   <?php if (isset($error)): ?>
   <div class="lt-msg lt-msg-danger lt-mb-md" role="alert">
     <strong>Error:</strong> <?= htmlspecialchars($error, ENT_QUOTES, 'UTF-8') ?>
@@ -255,26 +258,41 @@ include __DIR__ . '/layout_header.php';
     });
 
     function checkDuplicates(title) {
+        if (!window.lt || typeof lt.api === 'undefined') return;
         lt.api.get('/api/check_duplicates.php?title=' + encodeURIComponent(title))
             .then(function (data) {
                 var warn = document.getElementById('duplicateWarning');
                 var list = document.getElementById('duplicatesList');
                 if (data.success && data.duplicates && data.duplicates.length > 0) {
-                    var html = '<ul class="duplicate-list lt-text-sm">';
+                    var ul = document.createElement('ul');
+                    ul.className = 'duplicate-list lt-text-sm';
                     data.duplicates.forEach(function (dup) {
-                        html += '<li><a href="/ticket/' + lt.escHtml(dup.ticket_id) + '" target="_blank">#' +
-                                lt.escHtml(dup.ticket_id) + '</a> &mdash; ' + lt.escHtml(dup.title) +
-                                ' <span class="lt-text-muted">(' + dup.similarity + '% match, ' +
-                                lt.escHtml(dup.status) + ')</span></li>';
+                        var li   = document.createElement('li');
+                        var a    = document.createElement('a');
+                        a.href   = '/ticket/' + encodeURIComponent(dup.ticket_id);
+                        a.target = '_blank';
+                        a.textContent = '#' + dup.ticket_id;
+                        var dash = document.createTextNode(' \u2014 ' + dup.title + ' ');
+                        var badge = document.createElement('span');
+                        badge.className = 'lt-text-muted';
+                        badge.textContent = '(' + dup.similarity + '% match, ' + dup.status + ')';
+                        li.appendChild(a);
+                        li.appendChild(dash);
+                        li.appendChild(badge);
+                        ul.appendChild(li);
                     });
-                    html += '</ul><p class="lt-text-xs lt-text-muted lt-mt-sm">Check these before creating a new ticket.</p>';
-                    list.innerHTML = html;
+                    var hint = document.createElement('p');
+                    hint.className = 'lt-text-xs lt-text-muted lt-mt-sm';
+                    hint.textContent = 'Check these before creating a new ticket.';
+                    list.innerHTML = '';
+                    list.appendChild(ul);
+                    list.appendChild(hint);
                     warn.classList.remove('is-hidden');
                 } else {
                     warn.classList.add('is-hidden');
                 }
             })
-            .catch(function () { /* silent */ });
+            .catch(function () { /* silent — duplicate check is non-critical */ });
     }
 
     // ── Visibility groups toggle ──────────────────────────────