...and even if we accept that you have to use CGI instead of a more modern web application architecture...

...and even if we ignore the fact that good encryption and payment processing systems remain secure even when the algorithms are fully public...

...this still isn't a problem if you're using good software development practices.

Good development practice calls for putting potentially-reusable code into modules, not the main program source file. So you're running something as a CGI script and the web server sends the source instead of running it, but the source of myapp.cgi consists of:

#!/usr/bin/perl
use MyApp::Main;
MyApp::Main->run();
[download]

Good web application deployment practice also says that MyApp/Main.pm (i.e., the source of your MyApp::Main module) must not be placed under your web root (or any other web-shared directory), which ensures that there is no URL which maps to that file, thus making it impossible for a web user to access the source code of the module(s) used by your program. (Barring a serious exploit of the web server itself, of course.)

Web servers don't magically start returning the source code instead of executing the script. Test changes to the config before making them in production, and test your changes in production after making them.

You could add a level of indirectness by making your scripts setuid scripts and removing group-read and other-read permissions. This has the added advantage that your data files need not be readable by the web server account anymore.

if your scripts process online payments or perform some encryption or some secretive stuff, it would be a nightmare scenario if your server allowed people to see your perl source instead of executing it

Only if your code is buggy or your security practices are bad. Granted it's certainly not desirable to give hackers a view of your code because they may notice weaknesses you did not or find shortcuts to making brute force attacks affordable but assuming correct code and proper practices, it makes no difference. If it did, all open source applications would be inherently insecure.

Security vulnerabilities isn't the only concern; web apps contains plenty of trade secrets

Of course, but that does not seem to be the concern here; payment info or encryption leaking.

As ikegami has explained, if your server is returning your source code, that means your server is misconfigured.

However, there are legitimate reasons for wanting to prevent your users from reading your proprietary Perl code.

For this, I would recommend taking a look at Filter::Crypto module on CPAN.

Do note that once someone obtains the source code, there is really nothing you can do to completely prevent them from decrypting it:

In general, it is hopeless to try to prevent everyone from getting at the source code, especially when it is being run in an environment that you have no control over, and even more so when the software running it (Perl) is open source itself.

This technique can never completely hide the original unencrypted source code from people sufficiently determined to get it. The most it can hope for is to hide it from casual prying eyes, and to outdo everyone who is using a precompiled perl (at least from "regular" sources) and everyone who is not knowledgeable enough to suitably modify the Perl source code before compiling their own.

Best,

Jim

"...nightmare scenario...obfuscate my perl script..."

Acme::Bleach and/or snail mail for the rescue.

In other words: I guess something different went wrong.

Best regards, Karl