diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6c7e9f1..ba328cd 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,15 @@
 # Changelog
 
+## Changes 5/26/2025
+
+- Updated `REGEX_FOLDER_NAME` in `config.php` to forbids < > : " | ? * characters in folder names.
+  - Ensures the whole name can’t end in a space or period.
+  - Blocks Windows device names.
+
+- Updated `FolderController.php` when `createFolder` issues invalid folder name to return `http_response_code(400);`
+
+---
+
 ## Changes 5/23/2025 v1.3.8
 
 - **Folder-strip context menu**  
diff --git a/config/config.php b/config/config.php
index 64f754c..bd9754e 100644
--- a/config/config.php
+++ b/config/config.php
@@ -28,7 +28,7 @@ define('TRASH_DIR',     UPLOAD_DIR . 'trash/');
 define('TIMEZONE',      'America/New_York');
 define('DATE_TIME_FORMAT','m/d/y  h:iA');
 define('TOTAL_UPLOAD_SIZE','5G');
-define('REGEX_FOLDER_NAME', '/^[\p{L}\p{N}_\-\s\/\\\\]+$/u');
+define('REGEX_FOLDER_NAME','/^(?!^(?:CON|PRN|AUX|NUL|COM[1-9]|LPT[1-9])$)(?!.*[. ]$)(?:[^<>:"\/\\\\|?*\x00-\x1F]{1,255})(?:[\/\\\\][^<>:"\/\\\\|?*\x00-\x1F]{1,255})*$/xu');
 define('PATTERN_FOLDER_NAME','[\p{L}\p{N}_\-\s\/\\\\]+');
 define('REGEX_FILE_NAME', '/^[^\x00-\x1F\/\\\\]{1,255}$/u');
 define('REGEX_USER',       '/^[\p{L}\p{N}_\- ]+$/u');
diff --git a/src/controllers/FolderController.php b/src/controllers/FolderController.php
index b12bc66..9d3f823 100644
--- a/src/controllers/FolderController.php
+++ b/src/controllers/FolderController.php
@@ -96,12 +96,14 @@ class FolderController
 
         // Basic sanitation for folderName.
         if (!preg_match(REGEX_FOLDER_NAME, $folderName)) {
+            http_response_code(400);
             echo json_encode(['error' => 'Invalid folder name.']);
             exit;
         }
 
         // Optionally sanitize the parent.
         if ($parent && !preg_match(REGEX_FOLDER_NAME, $parent)) {
+            http_response_code(400);
             echo json_encode(['error' => 'Invalid parent folder name.']);
             exit;
         }