I commend you on pointing out your 'Security by Obscurity', and you wanting it fixed. The best thing I can recommend is going through
Ovid's
Web Programming Using Perl course. It handles most of your security concerns as far as programming goes. There are just too many things to point out here in a post on perlmonks.
Ovid even covers
wog's excellent point (++) that HTTP_REFEFER can be spoofed (along with about everything else).
Then you have the fun task of locking down (hardening) your box.
I would recommend looking at:
Bastille
Security Focus
grep