diff --git a/TODO.md b/TODO.md
index 2ae6365..455abb9 100644
--- a/TODO.md
+++ b/TODO.md
@@ -21,6 +21,18 @@
   - [x] `duration_pages`/`duration_minutes` saved in `updateThesis()` and read back in `getThesisRawFields()`
   - [x] `beforeunload-guard` applied to add and partage forms too
 
+- [x] Audit + fix direct PHP URL references blocked by nginx catch-all `deny all`
+  - [x] `/request-access.php` fetch in `tfe.php` → `/request-access`
+  - [x] `/media.php?path=` in `form.php` (×2) and `admin/recapitulatif.php` → `/media?path=`
+
+- [x] Fix 403 on `/language-autre-fragment.php` from `edit.php`
+  - [x] Root cause: standalone root-level PHP file blocked by nginx catch-all `deny all`
+  - [x] Moved logic to `partage/language-autre-fragment.php` (shared include)
+  - [x] Added route `/partage/language-autre-fragment` in `partage/index.php`
+  - [x] Added `admin/language-autre-fragment.php` (AdminAuth gated, includes shared logic)
+  - [x] `form.php` picks URL based on `$mode` (`partage` vs admin)
+  - [x] Deleted `public/language-autre-fragment.php`; nginx unchanged
+
 - [x] Merge banner images into cover images
   - [x] Migration 016: copy `storage/banners/*` → `storage/covers/`, insert `thesis_files` cover records, clear `banner_path`, remove banners dir
   - [x] Remove banner fieldset from edit form (`form.php`)
diff --git a/app/public/admin/language-autre-fragment.php b/app/public/admin/language-autre-fragment.php
new file mode 100644
index 0000000..609095c
--- /dev/null
+++ b/app/public/admin/language-autre-fragment.php
@@ -0,0 +1,17 @@
+<?php
+/**
+ * language-autre-fragment.php (admin)
+ *
+ * HTMX fragment: returns the "Autre(s) langue(s)" input row.
+ * Called from the shared form partial when a language checkbox changes.
+ *
+ * Expected POST:
+ *   languages[]      — selected language IDs (may be absent)
+ *   language_autre   — current free-text value (for repopulation)
+ */
+require_once __DIR__ . '/../../bootstrap.php';
+require_once __DIR__ . '/../../src/AdminAuth.php';
+
+AdminAuth::requireLogin();
+
+require_once APP_ROOT . '/public/partage/language-autre-fragment.php';
diff --git a/app/public/language-autre-fragment.php b/app/public/language-autre-fragment.php
deleted file mode 100644
index e85ad85..0000000
--- a/app/public/language-autre-fragment.php
+++ /dev/null
@@ -1,46 +0,0 @@
-<?php
-/**
- * language-autre-fragment.php
- *
- * HTMX fragment: returns the "Autre(s) langue(s)" input row when no standard
- * language checkbox is checked, or an empty hidden placeholder when at least
- * one is checked.
- *
- * Expected POST:
- *   languages[]  — selected language IDs (may be absent)
- *   language_autre — current free-text value (for repopulation)
- */
-require_once __DIR__ . '/../bootstrap.php';
-
-$selectedIds  = isset($_POST['languages']) && is_array($_POST['languages'])
-    ? $_POST['languages']
-    : [];
-$currentValue = htmlspecialchars(trim($_POST['language_autre'] ?? ''));
-$anyChecked   = !empty($selectedIds);
-?>
-<div id="language-autre-row">
-<?php if (!$anyChecked): ?>
-    <div>
-        <label for="language_autre">Autre(s) langue(s) : <span class="asterisk">*</span></label>
-        <div>
-            <input type="text"
-                   id="language_autre"
-                   name="language_autre"
-                   value="<?= $currentValue ?>"
-                   required>
-            <small>Si votre TFE contient une langue absente de la liste, précisez-la ici.</small>
-        </div>
-    </div>
-<?php else: ?>
-    <div>
-        <label for="language_autre">Autre(s) langue(s) :</label>
-        <div>
-            <input type="text"
-                   id="language_autre"
-                   name="language_autre"
-                   value="<?= $currentValue ?>">
-            <small>Si votre TFE contient une langue absente de la liste, précisez-la ici.</small>
-        </div>
-    </div>
-<?php endif; ?>
-</div>
diff --git a/app/public/partage/index.php b/app/public/partage/index.php
index a6b0b8c..280eae6 100644
--- a/app/public/partage/index.php
+++ b/app/public/partage/index.php
@@ -21,6 +21,13 @@ $parts = explode('/', $path);
 $slug  = $parts[0] ?? '';
 $action = $parts[1] ?? '';
 
+// Special route: /partage/language-autre-fragment (HTMX fragment, no auth needed)
+if ($slug === 'language-autre-fragment' && $_SERVER['REQUEST_METHOD'] === 'POST') {
+    App::boot();
+    require_once __DIR__ . '/language-autre-fragment.php';
+    exit;
+}
+
 // Special route: /partage/format-website-fragment (HTMX fragment, no auth needed)
 if ($slug === 'format-website-fragment' && $_SERVER['REQUEST_METHOD'] === 'POST') {
     App::boot();
diff --git a/app/public/partage/language-autre-fragment.php b/app/public/partage/language-autre-fragment.php
new file mode 100644
index 0000000..1f5fb3b
--- /dev/null
+++ b/app/public/partage/language-autre-fragment.php
@@ -0,0 +1,36 @@
+<?php
+/**
+ * language-autre-fragment.php
+ *
+ * Shared HTMX fragment include: returns the "Autre(s) langue(s)" input row
+ * when no standard language checkbox is checked, or the plain (non-required)
+ * variant when at least one is checked.
+ *
+ * Included by:
+ *   - /admin/language-autre-fragment.php  (AdminAuth gated)
+ *   - partage/index.php special route     (public, session already booted)
+ *
+ * Expected POST:
+ *   languages[]      — selected language IDs (may be absent)
+ *   language_autre   — current free-text value (for repopulation)
+ */
+
+$selectedIds  = isset($_POST['languages']) && is_array($_POST['languages'])
+    ? $_POST['languages']
+    : [];
+$currentValue = htmlspecialchars(trim($_POST['language_autre'] ?? ''));
+$anyChecked   = !empty($selectedIds);
+?>
+<div id="language-autre-row">
+    <div>
+        <label for="language_autre">Autre(s) langue(s) :<?= !$anyChecked ? ' <span class="asterisk">*</span>' : '' ?></label>
+        <div>
+            <input type="text"
+                   id="language_autre"
+                   name="language_autre"
+                   value="<?= $currentValue ?>"
+                   <?= !$anyChecked ? 'required' : '' ?>>
+            <small>Si votre TFE contient une langue absente de la liste, précisez-la ici.</small>
+        </div>
+    </div>
+</div>
diff --git a/app/templates/admin/recapitulatif.php b/app/templates/admin/recapitulatif.php
index 5a71090..69a828f 100644
--- a/app/templates/admin/recapitulatif.php
+++ b/app/templates/admin/recapitulatif.php
@@ -98,7 +98,7 @@
                 <?php
                     $mime     = $f['mime_type'] ?? '';
                     $isImage  = str_starts_with($mime, 'image/');
-                    $mediaUrl = '/media.php?path=' . urlencode($f['file_path']);
+                    $mediaUrl = '/media?path=' . urlencode($f['file_path']);
                     $fileName = htmlspecialchars($f['file_name'] ?? basename($f['file_path']));
                     $fileType = htmlspecialchars($f['file_type']);
                 ?>
diff --git a/app/templates/partials/form/form.php b/app/templates/partials/form/form.php
index 34b2a32..f9c3aa7 100644
--- a/app/templates/partials/form/form.php
+++ b/app/templates/partials/form/form.php
@@ -173,7 +173,7 @@ $checkedFormatsForSiteWeb = $checkedFormatsForSiteWeb ?? [];
             $options = $languages;
             $checked = $formData["languages"] ?? [];
             $required = true;
-            $hxPost   = "/language-autre-fragment.php";
+            $hxPost   = $mode === 'partage' ? "/partage/language-autre-fragment" : "/admin/language-autre-fragment.php";
             $hxTarget = "#language-autre-row";
             $hxSwap   = "outerHTML";
             include APP_ROOT . "/templates/partials/form/checkbox-list.php";
@@ -252,7 +252,7 @@ $checkedFormatsForSiteWeb = $checkedFormatsForSiteWeb ?? [];
                 <div class="admin-file-input">
                     <?php if (!empty($currentCover)): ?>
                     <div class="admin-banner-preview">
-                        <img src="/media.php?path=<?= urlencode(
+                        <img src="/media?path=<?= urlencode(
                             $currentCover["file_path"],
                         ) ?>"
                              alt="Couverture actuelle" style="max-height:180px;">
@@ -321,7 +321,7 @@ $checkedFormatsForSiteWeb = $checkedFormatsForSiteWeb ?? [];
                             str_starts_with($f["file_path"] ?? "", "https://");
                         $fLinkHref = $isExternalUrl
                             ? htmlspecialchars($f["file_path"])
-                            : "/media.php?path=" . urlencode($f["file_path"]);
+                            : "/media?path=" . urlencode($f["file_path"]);
                         ?>
                     <li class="admin-file-list-item" data-file-id="<?= (int) $f[
                         "id"
diff --git a/app/templates/public/tfe.php b/app/templates/public/tfe.php
index 2386c3c..669870d 100644
--- a/app/templates/public/tfe.php
+++ b/app/templates/public/tfe.php
@@ -393,7 +393,7 @@
                         const formData = new FormData(form);
                         formData.append('thesis_id', '<?= $thesisId ?>');
 
-                        fetch('/request-access.php', {
+                        fetch('/request-access', {
                             method: 'POST',
                             body: formData
                         })