i've config .htaccess to rewrite every single request to www.domain.com/xxyyzz and domain.com/xxyyzz (while whitelisting robots.txt and favicon.ico) into a script to emulate a virtual directory pattern, and img.domain.com/any_real_path to serve images. My main purpose is to make urls look more SE friendly while avoiding catching of requests to images into that script to reduce server load.

But i'm always thinking some requests should not be caught this way hence causing security problems. any ideas or improvements on this config while fulilling the duty of making a virtual directory pattern?