though I have taken care of CSRF and XSS prevention.
So what are you protecting the application from to think about disguising URL.. Id on not see any reason as you already stated...
damage the programming conventions
Identification of threat is the first and must activity that should be done, unnecessary implementations would result in maintenance issues/burden and performance issues but nothing else...