diff --git a/app/Controllers/AuthController.php b/app/Controllers/AuthController.php
index 13f2006..e17b1a7 100644
--- a/app/Controllers/AuthController.php
+++ b/app/Controllers/AuthController.php
@@ -173,6 +173,9 @@ class AuthController extends Controller
             return;
         }
 
+        // Regenerate session ID to prevent session fixation
+        session_regenerate_id(true);
+
         // Login successful - create session
         $_SESSION['user_id'] = $user['id'];
         $_SESSION['username'] = $user['username'];
diff --git a/app/Controllers/DomainController.php b/app/Controllers/DomainController.php
index e6fe7b9..f35baac 100644
--- a/app/Controllers/DomainController.php
+++ b/app/Controllers/DomainController.php
@@ -579,8 +579,11 @@ class DomainController extends Controller
             $availableTags = $tagModel->getAllWithUsage();
         }
 
-        // Get referrer for cancel button
+        // Get referrer for cancel button (validated to prevent open redirect / XSS)
         $referrer = $_GET['from'] ?? '/domains/' . $domain['id'];
+        if (!preg_match('#^/[a-zA-Z0-9]#', $referrer)) {
+            $referrer = '/domains/' . $domain['id'];
+        }
         
         $this->view('domains/edit', [
             'domain' => $domain,
@@ -1619,9 +1622,19 @@ class DomainController extends Controller
             return;
         }
 
+        $userId = \Core\Auth::id();
+        $settingModel = new \App\Models\Setting();
+        $isolationMode = $settingModel->getValue('user_isolation_mode', 'shared');
+
         $deleted = 0;
         foreach ($domainIds as $id) {
-            if ($this->domainModel->delete($id)) {
+            if ($isolationMode === 'isolated') {
+                $domain = $this->domainModel->findWithIsolation($id, $userId);
+            } else {
+                $domain = $this->domainModel->find($id);
+            }
+
+            if ($domain && $this->domainModel->delete($id)) {
                 $deleted++;
             }
         }
@@ -1658,24 +1671,28 @@ class DomainController extends Controller
             return;
         }
 
+        $settingModel = new \App\Models\Setting();
+        $isolationMode = $settingModel->getValue('user_isolation_mode', 'shared');
+
         // Validate notification group in isolation mode
-        if ($groupId) {
-            $settingModel = new \App\Models\Setting();
-            $isolationMode = $settingModel->getValue('user_isolation_mode', 'shared');
-            
-            if ($isolationMode === 'isolated') {
-                $group = $this->groupModel->find($groupId);
-                if (!$group || $group['user_id'] != $userId) {
-                    $_SESSION['error'] = 'You can only assign domains to your own notification groups';
-                    $this->redirect('/domains');
-                    return;
-                }
+        if ($groupId && $isolationMode === 'isolated') {
+            $group = $this->groupModel->find($groupId);
+            if (!$group || $group['user_id'] != $userId) {
+                $_SESSION['error'] = 'You can only assign domains to your own notification groups';
+                $this->redirect('/domains');
+                return;
             }
         }
 
         $updated = 0;
         foreach ($domainIds as $id) {
-            if ($this->domainModel->update($id, ['notification_group_id' => $groupId])) {
+            if ($isolationMode === 'isolated') {
+                $domain = $this->domainModel->findWithIsolation($id, $userId);
+            } else {
+                $domain = $this->domainModel->find($id);
+            }
+
+            if ($domain && $this->domainModel->update($id, ['notification_group_id' => $groupId])) {
                 $updated++;
             }
         }
diff --git a/app/Controllers/InstallerController.php b/app/Controllers/InstallerController.php
index 0f2246e..29f8ed8 100644
--- a/app/Controllers/InstallerController.php
+++ b/app/Controllers/InstallerController.php
@@ -315,6 +315,9 @@ class InstallerController extends Controller
             return;
         }
 
+        // CSRF Protection
+        $this->verifyCsrf('/install');
+
         // Block re-installation if already installed
         if ($this->isInstalled()) {
             $_SESSION['error'] = 'System is already installed. Use the update function instead.';
@@ -364,11 +367,11 @@ class InstallerController extends Controller
                 $file = __DIR__ . '/../../database/migrations/000_initial_schema_v1.1.0.sql';
                 $sql = file_get_contents($file);
                 
-                // Replace admin credentials
+                // Replace admin credentials (use PDO::quote to prevent SQL injection)
                 $passwordHash = password_hash($adminPassword, PASSWORD_BCRYPT);
-                $sql = str_replace('{{ADMIN_PASSWORD_HASH}}', $passwordHash, $sql);
-                $sql = str_replace('{{ADMIN_USERNAME}}', $adminUsername, $sql);
-                $sql = str_replace('{{ADMIN_EMAIL}}', $adminEmail, $sql);
+                $sql = str_replace("'{{ADMIN_PASSWORD_HASH}}'", $pdo->quote($passwordHash), $sql);
+                $sql = str_replace("'{{ADMIN_USERNAME}}'", $pdo->quote($adminUsername), $sql);
+                $sql = str_replace("'{{ADMIN_EMAIL}}'", $pdo->quote($adminEmail), $sql);
                 
                 // Execute the entire consolidated schema at once
                 // This is safe because MySQL can handle multiple statements with CREATE TABLE IF NOT EXISTS
@@ -584,6 +587,9 @@ class InstallerController extends Controller
             $this->redirect('/install/update');
             return;
         }
+
+        // CSRF Protection
+        $this->verifyCsrf('/install/update');
         
         try {
             $pdo = \Core\Database::getConnection();
diff --git a/app/Controllers/NotificationGroupController.php b/app/Controllers/NotificationGroupController.php
index 033f7a7..18150e3 100644
--- a/app/Controllers/NotificationGroupController.php
+++ b/app/Controllers/NotificationGroupController.php
@@ -687,6 +687,13 @@ class NotificationGroupController extends Controller
             return;
         }
 
+        $channel = $this->channelModel->find($id);
+        if (!$channel || (int)$channel['notification_group_id'] !== (int)$groupId) {
+            $_SESSION['error'] = 'Channel not found';
+            $this->redirect("/groups/$groupId/edit");
+            return;
+        }
+
         try {
             $this->channelModel->delete($id);
             $_SESSION['success'] = 'Channel deleted successfully';
@@ -714,6 +721,13 @@ class NotificationGroupController extends Controller
             return;
         }
 
+        $channel = $this->channelModel->find($id);
+        if (!$channel || (int)$channel['notification_group_id'] !== (int)$groupId) {
+            $_SESSION['error'] = 'Channel not found';
+            $this->redirect("/groups/$groupId/edit");
+            return;
+        }
+
         try {
             $this->channelModel->toggleActive($id);
             $_SESSION['success'] = 'Channel status updated';
diff --git a/app/Controllers/TwoFactorController.php b/app/Controllers/TwoFactorController.php
index 60b7bac..5c8d5b3 100644
--- a/app/Controllers/TwoFactorController.php
+++ b/app/Controllers/TwoFactorController.php
@@ -275,6 +275,9 @@ class TwoFactorController extends Controller
         $this->twoFactorService->recordAttempt($userId, $ipAddress, $verified);
 
         if ($verified) {
+            // Regenerate session ID to prevent session fixation
+            session_regenerate_id(true);
+
             // Clear 2FA requirement and complete login
             $pendingRemember = !empty($_SESSION['pending_remember']);
             unset($_SESSION['2fa_required']);
@@ -343,6 +346,8 @@ class TwoFactorController extends Controller
             return;
         }
 
+        $this->verifyCsrf('/2fa/verify');
+
         try {
             // Check if user is in 2FA verification state
             if (!isset($_SESSION['2fa_required']) || !$_SESSION['2fa_required']) {
diff --git a/app/Models/ErrorLog.php b/app/Models/ErrorLog.php
index 0ec25a0..4aa48d8 100644
--- a/app/Models/ErrorLog.php
+++ b/app/Models/ErrorLog.php
@@ -247,7 +247,9 @@ class ErrorLog extends Model
         }
 
         $whereClause = !empty($where) ? 'WHERE ' . implode(' AND ', $where) : '';
-        $sortColumn = $filters['sort'];
+
+        $allowedSort = ['error_id', 'error_type', 'error_message', 'is_resolved', 'occurred_at', 'last_occurred_at', 'occurrences'];
+        $sortColumn = in_array($filters['sort'], $allowedSort, true) ? $filters['sort'] : 'last_occurred_at';
         $sortOrder = strtoupper($filters['order']) === 'DESC' ? 'DESC' : 'ASC';
 
         $query = "
diff --git a/app/Views/domains/bulk-add.twig b/app/Views/domains/bulk-add.twig
index afc5def..3777aaa 100644
--- a/app/Views/domains/bulk-add.twig
+++ b/app/Views/domains/bulk-add.twig
@@ -74,7 +74,7 @@
                         <p class="text-xs text-gray-600 dark:text-slate-400 mb-1.5">Available Tags:</p>
                         <div class="flex flex-wrap gap-1.5">
                             {% for tag in availableTags %}
-                                <button type="button" onclick="addTag('{{ tag.name }}')" 
+                                <button type="button" onclick="addTag('{{ tag.name|e('js') }}')" 
                                         class="inline-flex items-center px-2 py-1 rounded-md text-xs font-medium border {{ tag.color }} hover:opacity-80 transition-colors">
                                     <i class="fas fa-plus mr-1" style="font-size: 8px;"></i>
                                     {{ tag.name }}
diff --git a/app/Views/domains/create.twig b/app/Views/domains/create.twig
index cc2f80f..6e542cf 100644
--- a/app/Views/domains/create.twig
+++ b/app/Views/domains/create.twig
@@ -73,7 +73,7 @@
                         <p class="text-xs text-gray-600 dark:text-slate-400 mb-1.5">💡 Available Tags:</p>
                         <div class="flex flex-wrap gap-1.5">
                             {% for tag in availableTags %}
-                                <button type="button" onclick="addTag('{{ tag.name }}')" 
+                                <button type="button" onclick="addTag('{{ tag.name|e('js') }}')" 
                                         class="inline-flex items-center px-2 py-1 rounded-md text-xs font-medium border {{ tag.color }} hover:opacity-80 transition-colors">
                                     <i class="fas fa-plus mr-1" style="font-size: 8px;"></i>
                                     {{ tag.name }}
diff --git a/app/Views/domains/edit.twig b/app/Views/domains/edit.twig
index 8af2f38..4b5c8f5 100644
--- a/app/Views/domains/edit.twig
+++ b/app/Views/domains/edit.twig
@@ -76,7 +76,7 @@
                         <p class="text-xs text-gray-600 dark:text-slate-400 mb-1.5">💡 Available Tags:</p>
                         <div class="flex flex-wrap gap-1.5">
                             {% for tag in availableTags %}
-                                <button type="button" onclick="addTag('{{ tag.name }}')" 
+                                <button type="button" onclick="addTag('{{ tag.name|e('js') }}')" 
                                         class="inline-flex items-center px-2 py-1 rounded-md text-xs font-medium border {{ tag.color }} hover:opacity-80 transition-colors">
                                     <i class="fas fa-plus mr-1" style="font-size: 8px;"></i>
                                     {{ tag.name }}
diff --git a/app/Views/domains/tabs/overview.twig b/app/Views/domains/tabs/overview.twig
index ade69bd..9ee4fc5 100644
--- a/app/Views/domains/tabs/overview.twig
+++ b/app/Views/domains/tabs/overview.twig
@@ -21,7 +21,7 @@
                     {% if domain.registrar_url is not empty %}
                     <div class="flex justify-between">
                         <span class="text-gray-500 dark:text-slate-400">Registrar URL:</span>
-                        <a href="{{ domain.registrar_url }}" target="_blank" class="text-blue-600 dark:text-blue-400 hover:text-blue-800 dark:hover:text-blue-300 flex items-center">
+                        <a href="{{ domain.registrar_url|safe_url }}" target="_blank" rel="noopener noreferrer" class="text-blue-600 dark:text-blue-400 hover:text-blue-800 dark:hover:text-blue-300 flex items-center">
                             <i class="fas fa-external-link-alt mr-1" style="font-size: 9px;"></i>
                             Visit
                         </a>
diff --git a/app/Views/domains/tabs/whois.twig b/app/Views/domains/tabs/whois.twig
index 939ffca..91a0cb7 100644
--- a/app/Views/domains/tabs/whois.twig
+++ b/app/Views/domains/tabs/whois.twig
@@ -43,7 +43,7 @@
                 <div>
                     <label class="text-gray-500 dark:text-slate-400 font-medium block mb-0.5">Registrar URL</label>
                     {% if domain.registrar_url is defined and domain.registrar_url %}
-                        <a href="{{ domain.registrar_url }}" target="_blank" class="text-blue-600 dark:text-blue-400 hover:text-blue-800 dark:hover:text-blue-300 flex items-center">
+                        <a href="{{ domain.registrar_url|safe_url }}" target="_blank" rel="noopener noreferrer" class="text-blue-600 dark:text-blue-400 hover:text-blue-800 dark:hover:text-blue-300 flex items-center">
                             <i class="fas fa-external-link-alt mr-1" style="font-size: 9px;"></i>
                             Visit Registrar
                         </a>
@@ -58,7 +58,7 @@
                 <div>
                     <label class="text-gray-500 dark:text-slate-400 font-medium block mb-0.5">Abuse Contact</label>
                     {% if domain.abuse_email %}
-                        <a href="mailto:{{ domain.abuse_email }}" class="text-blue-600 dark:text-blue-400 hover:text-blue-800 dark:hover:text-blue-300 block break-all">{{ domain.abuse_email }}</a>
+                        <a href="{{ domain.abuse_email|safe_mailto }}" class="text-blue-600 dark:text-blue-400 hover:text-blue-800 dark:hover:text-blue-300 block break-all">{{ domain.abuse_email }}</a>
                     {% else %}
                         <span class="text-gray-400 dark:text-slate-500">-</span>
                     {% endif %}
diff --git a/app/Views/domains/view.twig b/app/Views/domains/view.twig
index 7e5a440..04c6c82 100644
--- a/app/Views/domains/view.twig
+++ b/app/Views/domains/view.twig
@@ -98,7 +98,7 @@
                     {% if domain.registrar_url is not empty %}
                     <div>
                         <label class="text-gray-500 dark:text-slate-400 font-medium block mb-0.5">Registrar URL</label>
-                        <a href="{{ domain.registrar_url }}" target="_blank" class="text-blue-600 dark:text-blue-400 hover:text-blue-800 dark:hover:text-blue-300 flex items-center">
+                        <a href="{{ domain.registrar_url|safe_url }}" target="_blank" rel="noopener noreferrer" class="text-blue-600 dark:text-blue-400 hover:text-blue-800 dark:hover:text-blue-300 flex items-center">
                             <i class="fas fa-external-link-alt mr-1" style="font-size: 9px;"></i>
                             Visit
                         </a>
@@ -107,7 +107,7 @@
                     {% if domain.abuse_email is not empty %}
                     <div>
                         <label class="text-gray-500 dark:text-slate-400 font-medium block mb-0.5">Abuse Contact</label>
-                        <a href="mailto:{{ domain.abuse_email }}" class="text-blue-600 dark:text-blue-400 hover:text-blue-800 dark:hover:text-blue-300">
+                        <a href="{{ domain.abuse_email|safe_mailto }}" class="text-blue-600 dark:text-blue-400 hover:text-blue-800 dark:hover:text-blue-300">
                             {{ domain.abuse_email }}
                         </a>
                     </div>
diff --git a/app/Views/installer/update.twig b/app/Views/installer/update.twig
index 4994913..bcf634f 100644
--- a/app/Views/installer/update.twig
+++ b/app/Views/installer/update.twig
@@ -72,6 +72,7 @@
             {% endif %}
 
             <form method="POST" action="/install/update" class="space-y-3">
+                {{ csrf_field() }}
                 <button type="submit" class="w-full bg-primary hover:bg-primary-dark text-white py-2.5 rounded-lg font-medium transition-colors">
                     <i class="fas fa-download mr-2"></i>
                     Run Update Now
diff --git a/app/Views/installer/welcome.twig b/app/Views/installer/welcome.twig
index 6260b38..caa82c3 100644
--- a/app/Views/installer/welcome.twig
+++ b/app/Views/installer/welcome.twig
@@ -69,6 +69,7 @@
             {% endif %}
 
             <form method="POST" action="/install/run" class="space-y-5">
+                {{ csrf_field() }}
                 <div class="border-t border-gray-200 pt-6">
                     <h3 class="text-lg font-semibold text-gray-900 mb-4">Administrator Account</h3>
                     
diff --git a/app/Views/tld-registry/index.twig b/app/Views/tld-registry/index.twig
index f303e88..3589356 100644
--- a/app/Views/tld-registry/index.twig
+++ b/app/Views/tld-registry/index.twig
@@ -291,7 +291,7 @@
                                         <div class="text-sm font-semibold text-gray-900 dark:text-white">{{ tld.tld }}</div>
                                         {% if tld.registry_url %}
                                         <div class="text-sm text-gray-500 dark:text-slate-400">
-                                            <a href="{{ tld.registry_url }}" target="_blank" class="text-primary hover:text-primary-dark">
+                                            <a href="{{ tld.registry_url|safe_url }}" target="_blank" rel="noopener noreferrer" class="text-primary hover:text-primary-dark">
                                                 <i class="fas fa-external-link-alt mr-1"></i>
                                                 Registry
                                             </a>
@@ -375,7 +375,7 @@
                             <div>
                                 <h3 class="font-semibold text-gray-900 dark:text-white">{{ tld.tld }}</h3>
                                 {% if tld.registry_url %}
-                                <a href="{{ tld.registry_url }}" target="_blank" class="text-xs text-primary hover:text-primary-dark">
+                                <a href="{{ tld.registry_url|safe_url }}" target="_blank" rel="noopener noreferrer" class="text-xs text-primary hover:text-primary-dark">
                                     <i class="fas fa-external-link-alt mr-1"></i>
                                     Registry
                                 </a>
diff --git a/app/Views/tld-registry/view.twig b/app/Views/tld-registry/view.twig
index 53ea5ca..3f401d1 100644
--- a/app/Views/tld-registry/view.twig
+++ b/app/Views/tld-registry/view.twig
@@ -60,7 +60,7 @@
                     {% if tld.registry_url %}
                     <div>
                         <label class="text-gray-500 dark:text-slate-400 font-medium block mb-0.5">Registry URL</label>
-                        <a href="{{ tld.registry_url }}" target="_blank" class="text-blue-600 hover:text-blue-800 dark:text-blue-400 dark:hover:text-blue-300 flex items-center">
+                        <a href="{{ tld.registry_url|safe_url }}" target="_blank" rel="noopener noreferrer" class="text-blue-600 hover:text-blue-800 dark:text-blue-400 dark:hover:text-blue-300 flex items-center">
                             <i class="fas fa-external-link-alt mr-1" style="font-size: 9px;"></i>
                             Visit Registry
                         </a>
@@ -229,7 +229,7 @@
                 </a>
                 {% endif %}
                 {% if tld.registry_url %}
-                <a href="{{ tld.registry_url }}" target="_blank" class="flex items-center p-3 border border-gray-200 dark:border-slate-700 hover:border-blue-500 hover:bg-blue-50 dark:hover:bg-blue-500/10 rounded-lg transition-all duration-200 group">
+                <a href="{{ tld.registry_url|safe_url }}" target="_blank" rel="noopener noreferrer" class="flex items-center p-3 border border-gray-200 dark:border-slate-700 hover:border-blue-500 hover:bg-blue-50 dark:hover:bg-blue-500/10 rounded-lg transition-all duration-200 group">
                     <div class="w-9 h-9 bg-blue-50 dark:bg-blue-500/10 group-hover:bg-blue-500 rounded-lg flex items-center justify-center group-hover:text-white text-blue-600 dark:text-blue-400 transition-colors duration-200">
                         <i class="fas fa-external-link-alt text-sm"></i>
                     </div>
diff --git a/core/SessionConfig.php b/core/SessionConfig.php
index 1b04cbe..7dc6158 100644
--- a/core/SessionConfig.php
+++ b/core/SessionConfig.php
@@ -69,6 +69,15 @@ class SessionConfig
      */
     public static function start(): void
     {
+        session_set_cookie_params([
+            'lifetime' => 0,
+            'path' => '/',
+            'domain' => '',
+            'secure' => !empty($_SERVER['HTTPS']),
+            'httponly' => true,
+            'samesite' => 'Lax',
+        ]);
+
         session_start();
         
         // Validate session exists in database (for database-backed sessions)
diff --git a/core/TwigService.php b/core/TwigService.php
index 22ddec9..7566184 100644
--- a/core/TwigService.php
+++ b/core/TwigService.php
@@ -239,6 +239,26 @@ class TwigService
             return \App\Helpers\ViewHelper::formatBytes($bytes, $precision);
         }));
 
+        $this->twig->addFilter(new TwigFilter('safe_url', function (?string $url): string {
+            if ($url === null || $url === '') {
+                return '#';
+            }
+            if (preg_match('#^https?://#i', $url)) {
+                return $url;
+            }
+            return '#';
+        }));
+
+        $this->twig->addFilter(new TwigFilter('safe_mailto', function (?string $email): string {
+            if ($email === null || $email === '') {
+                return '#';
+            }
+            if (filter_var($email, FILTER_VALIDATE_EMAIL)) {
+                return 'mailto:' . $email;
+            }
+            return '#';
+        }));
+
         $this->twig->addFilter(new TwigFilter('from_json', function ($value) {
             if ($value === null || $value === '') {
                 return [];
diff --git a/routes/web.php b/routes/web.php
index 9f191e4..0b6dc97 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -47,12 +47,12 @@ $router->get('/2fa/verify', [TwoFactorController::class, 'showVerify']);
 $router->post('/2fa/verify', [TwoFactorController::class, 'verify']);
 $router->post('/2fa/send-email-code', [TwoFactorController::class, 'sendEmailCode']);
 
-// Debug route (public - remove in production!)
-$router->get('/debug/whois', [DebugController::class, 'whois']);
-
 // Protected routes - require authentication
 Auth::require();
 
+// Debug route (admin-only)
+$router->get('/debug/whois', [DebugController::class, 'whois']);
+
 // Dashboard
 $router->get('/', [DashboardController::class, 'index']);
 $router->get('/dashboard', [DashboardController::class, 'index']);