Just goes to show you that it's not very smart to tie a URL's form to its function. All the HTML on my website is dynamically generated, yet I don't have .cgi on the end of any file (and especially not .tcl {grin}).

From a security perspective, revealing that something is /cgi or .cgi or .pl or .tcl are all dangerous, as they give an attacker a hint of implementation language, which can permit more rapid selection of automated tools.

-- Randal L. Schwartz, Perl hacker