This is all a webserver configuration issue. Nothing except the webserver configuration dictates that the file events.pl must reside in your document root, or that a file events.pl must exist at all for an URL /events.pl to be served. Talk to your webserver administrator about what possibilities you have to set up a "ScriptAlias" or some "alias".

Without looking at what your script does, it's hard to say whether it is safer or less safe to move it out of cgi-bin/. Most likely, it won't make much difference, security-wise.

Hi Corion - it did occur to me after I posted that this wasn't really a Perl question so thanks for your answer. I went on over to Apache and it would seem I could do everything I want and more using ScriptAlias and other directives. Only thing I would have to put them in .htaccess files which has performance issues (hopefully a concern some day). But that got me thinking, why not just create symbolic link to my script. That works nicely. Must learn more Unix.

The only security problem really is: if the web server ever is misconfigured (to not execute scripts), people hitting the web server are shown your code. Since events.pl is in cgi-bin (not public_html, i.e. outside the document root), a misconfigured server would likely refuse to serve it. This is very much an issue in PHP, too, but nobody pays attention to it.

You can mitigate this by putting the important parts of your code in libraries outside the document root.

(I did gain access to one web site's code once because the administrator apparently had reinstalled the OS, set the web server running with the default configuration, and restored the old content before fixing the configuration.)