diff --git a/System/Core/Console/Commands/Update.php b/System/Core/Console/Commands/Update.php
index 8ad2b2c..8a28c9d 100644
--- a/System/Core/Console/Commands/Update.php
+++ b/System/Core/Console/Commands/Update.php
@@ -84,11 +84,11 @@ protected function getClient(): Client
                 $headers['Authorization'] = 'Bearer ' . env('GITHUB_API_TOKEN');
             }
 
-            $this->client = http([
-                'verify' => false,
-                'base_uri' => 'https://api.github.com/',
-                'headers' => $headers,
-            ]);
+            $this->client = http([
+                'verify' => env('HTTP_VERIFY_SSL', true),
+                'base_uri' => 'https://api.github.com/',
+                'headers' => $headers,
+            ]);
         }
 
         return $this->client;
@@ -196,9 +196,9 @@ protected function getCommits(?string $startDate = null, ?string $endDate = null
     {
         try {
             $query = [];
-            $uri = '/repos/' . self::OWNER . '/' . self::REPO . '/commits';
-            if ($startDate) $query['since'] = $startDate;
-            if ($endDate) $query['until'] = $startDate;
+            $uri = '/repos/' . self::OWNER . '/' . self::REPO . '/commits';
+            if ($startDate) $query['since'] = $startDate;
+            if ($endDate) $query['until'] = $endDate;
 
             $response = $this->getClient()->get($uri, ['query' => $query])->getBody();
             return array_reverse(array_map(function ($commit) use ($autoFetchFiles) {
@@ -276,4 +276,4 @@ protected function table(array $rows): void
 
         echo str_repeat('-', $times) . PHP_EOL . PHP_EOL;
     }
-}
\ No newline at end of file
+}
diff --git a/System/Core/Process.php b/System/Core/Process.php
index 73d6354..fb6e259 100644
--- a/System/Core/Process.php
+++ b/System/Core/Process.php
@@ -21,7 +21,13 @@ class Process
      */
     public static function run(...$args): string|bool
     {
-        return exec(join(' ', $args));
+        $command = [];
+        foreach ($args as $index => $arg) {
+            $arg = (string)$arg;
+            $command[] = $index === 0 ? $arg : escapeshellarg($arg);
+        }
+
+        return exec(join(' ', $command));
     }
 
-}
\ No newline at end of file
+}
diff --git a/System/Core/Runtime.php b/System/Core/Runtime.php
index 76b4ce2..01df551 100644
--- a/System/Core/Runtime.php
+++ b/System/Core/Runtime.php
@@ -21,13 +21,13 @@ public static function init(array $config): void
         $isTelegram = true;
 
         /** verify routes */
-        if (!empty(($routes = $config['routes']))) {
-            if (!empty($routes['telegram'])) {
-                if (!in_array(request()->uri(), $routes)) {
-                    $isTelegram = false;
-                }
-            }
-        }
+        if (!empty(($routes = $config['routes']))) {
+            if (!empty($routes['telegram'])) {
+                if (!in_array(request()->uri(), $routes['telegram'])) {
+                    $isTelegram = false;
+                }
+            }
+        }
 
         /** verify signature */
         if (!empty(($signature = $config['signature']))) {
@@ -82,4 +82,4 @@ public static function getInstance(): Runtime
         return new static;
     }
 
-}
\ No newline at end of file
+}
diff --git a/System/Http/Request.php b/System/Http/Request.php
index a3698fa..6c45565 100644
--- a/System/Http/Request.php
+++ b/System/Http/Request.php
@@ -76,11 +76,17 @@ public function ip(bool $trustProxy = false): string
     {
         if ($trustProxy) {
             if (!empty($_SERVER['HTTP_CF_CONNECTING_IP'])) {
-                return trim($_SERVER['HTTP_CF_CONNECTING_IP']);
+                $ip = trim($_SERVER['HTTP_CF_CONNECTING_IP']);
+                if (filter_var($ip, FILTER_VALIDATE_IP)) {
+                    return $ip;
+                }
             }
 
             if (!empty($_SERVER['HTTP_X_REAL_IP'])) {
-                return trim($_SERVER['HTTP_X_REAL_IP']);
+                $ip = trim($_SERVER['HTTP_X_REAL_IP']);
+                if (filter_var($ip, FILTER_VALIDATE_IP)) {
+                    return $ip;
+                }
             }
 
             if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
@@ -95,7 +101,12 @@ public function ip(bool $trustProxy = false): string
             }
         }
 
-        return $_SERVER['REMOTE_ADDR'];
+        $remoteAddress = $_SERVER['REMOTE_ADDR'] ?? '';
+        if (filter_var($remoteAddress, FILTER_VALIDATE_IP)) {
+            return $remoteAddress;
+        }
+
+        return '0.0.0.0';
     }
 
     /**
@@ -220,26 +231,32 @@ public function json(?string $key = null, bool $raw = false): array|string|null
     public function fingerprint(bool $includeBody = false): string
     {
         $query = $this->query();
+        if (!is_array($query)) {
+            $query = [];
+        }
         ksort($query);
 
         $segments = [
             $this->ip(),
             $this->uri(),
             $this->method(),
-            md5(http_build_query($query)),
+            hash('sha256', http_build_query($query)),
         ];
 
         if ($includeBody) {
             $body = $this->body();
+            if (!is_array($body)) {
+                $body = [];
+            }
             ksort($body);
-            $segments[] = md5(http_build_query($body));
+            $segments[] = hash('sha256', http_build_query($body));
 
             $json = $this->_json;
             ksort($json);
-            $segments[] = md5(json_encode($json));
+            $segments[] = hash('sha256', json_encode($json) ?: '');
         }
 
-        return md5(join('|', $segments));
+        return hash('sha256', join('|', $segments));
     }
 
-}
\ No newline at end of file
+}