diff --git a/deploy/hooks.json b/deploy/hooks.json
index d375f68..ac1784e 100644
--- a/deploy/hooks.json
+++ b/deploy/hooks.json
@@ -10,14 +10,48 @@
       }
     ],
     "trigger-rule": {
-      "match": {
-        "type": "value",
-        "value": "Bearer bssapp-secret-2026",
-        "parameter": {
-          "source": "header",
-          "name": "Authorization"
+      "or": [
+        {
+          "match": {
+            "type": "value",
+            "value": "Bearer bssapp-secret-2026",
+            "parameter": {
+              "source": "header",
+              "name": "Authorization"
+            }
+          }
+        },
+        {
+          "match": {
+            "type": "value",
+            "value": "bssapp-secret-2026",
+            "parameter": {
+              "source": "header",
+              "name": "Authorization"
+            }
+          }
+        },
+        {
+          "match": {
+            "type": "value",
+            "value": "X-BSSAPP-SECRET: bssapp-secret-2026",
+            "parameter": {
+              "source": "header",
+              "name": "Authorization"
+            }
+          }
+        },
+        {
+          "match": {
+            "type": "value",
+            "value": "bssapp-secret-2026",
+            "parameter": {
+              "source": "header",
+              "name": "X-BSSAPP-SECRET"
+            }
+          }
         }
-      }
+      ]
     }
   }
 ]
diff --git a/svc/queries/statement_header.go b/svc/queries/statement_header.go
index 41d1d79..2ef2048 100644
--- a/svc/queries/statement_header.go
+++ b/svc/queries/statement_header.go
@@ -18,11 +18,18 @@ func GetStatements(params models.StatementParams) ([]models.StatementHeader, err
 	// Parislemler []string → '1','2','3'
 	parislemFilter := "''"
 	if len(params.Parislemler) > 0 {
-		quoted := make([]string, len(params.Parislemler))
-		for i, v := range params.Parislemler {
-			quoted[i] = fmt.Sprintf("'%s'", v)
+		quoted := make([]string, 0, len(params.Parislemler))
+		for _, v := range params.Parislemler {
+			v = strings.TrimSpace(v)
+			if v == "" {
+				continue
+			}
+			// Escape tek tırnak to avoid malformed SQL when list is injected into IN (...).
+			quoted = append(quoted, fmt.Sprintf("'%s'", strings.ReplaceAll(v, "'", "''")))
+		}
+		if len(quoted) > 0 {
+			parislemFilter = strings.Join(quoted, ",")
 		}
-		parislemFilter = strings.Join(quoted, ",")
 	}
 
 	query := fmt.Sprintf(`
@@ -155,7 +162,7 @@ SELECT
 
     o.Devir_Bakiyesi,
 
-    '%s'
+    CAST(NULL AS varchar(32)) AS Parislemler
 
 FROM Opening o
 
@@ -169,7 +176,6 @@ ORDER BY
 `,
 		parislemFilter,
 		parislemFilter,
-		parislemFilter,
 	)
 
 	rows, err := db.MssqlDB.Query(query,