If you have control of your webserver, there are tricks you can play there too. on apache I have one server set up to handle .html files as if they were php (so nobody knows I use php) and mod_rewrite to obfuscate filename extensions and CGI parameters (and the fact that its even a cgi-bin script). i.e. mapping /foo/bar/login to /cgi-bin/login.cgi?a=foo&b=bar L