I agree with you pretty much on this, but consider this: Why give away hints? If you use the file extentsion .cgi, a would-be cracker (not a hacker) has no idea if you're using Perl, C, Ruby, COBOL, or whatever to do your CGI. You use .pl, and you've given away a pretty good hint you're running Perl.

Now, your code review has passed, everything is fine, and 3 months later someone discovers a latent problem in CGI.pm or Perl itself. Is someone more likely to try that new exploit against a site they see with .cgi scripts, or .pl scripts?

Security through obscurity is a bad policy to rely on to hide bad programming, but it's a good policy to help make it more difficult for someone to work against you.

After all, if you have a safe in your home, do you put up a sign saying 'safe is in basement'?

--Chris

e-mail jcwren