I am using the ACS sitemap feature to generate the sitemap for my site. This is rendered on the page with .xml extension. However, the security checklist recommends disabling .xml extension in the Apache Configuration.
"As a preventive measure disable the other default renderers (HTML, plain text, XML). Again by configuring the Apache Sling GET Servlet."