Over here, we have 6 lovely fresh baked rolls, and on the other side, half a dozen lovely fresh baked rolls. CGI scripts expose vulnerabilities to a cracker. The innards of a daemon expose vulnerabilities to a cracker. No real difference there.

My reasoning that HTTP::Daemon is the daemon is because it handles all the daemony kind of jobs, like dealing with connections, deciphering the HTTP protocol, building data structures... just like the Apache daemon does. No one would say that a CGI script is the same as the Apache daemon, even though a CGI script does certainly provide the apache daemon's actual, functional innards. The only thing the Apache daemon does that the HTTP::Daemon doesn't do is fork and drop privileges before execing the CGI script.

And with my subclass of HTTP::Daemon your can avoid Apache's denial of service POST attack by deciding how much of the post stream to read. You can probably do this with Apache, but the thought of the C interface layer leaves me sweating.

____________________
Jeremy
I didn't believe in evil until I dated it.