This is just an observation, but once they know the redirected target, they might be able to obtain other software if they have a reasonable guess as to the filename.

You might consider having the CGI script pipe out the headers and content to initiate the download. You could call it something similar to /cgi-bin/logger.cgi/product.filename , so the browser would try to save it with the proper name. You would also have to be aware of the Content-Type and Content-length headers for product.filename.

A little more work, perhaps, and off of your original question, but perhaps a little more likely not to be bypassed.