So normally I have links like:
http://domain.com/action?some=1&foo=2
and so on. It's make me really upset, as some clever users might just reinvent link on their own and get access to some data, which is not desirable. I know i can setup security On server side, but i'd like to make links look like:
http://domain.com/action
And 'some' and 'foo' send like POST request
Actions in ASP.NET MVC don't distinguish betweed Post and Get as far as the parameters to the actions are concerned. However, you can start by marking your actions with the attribute [HttpPost]. This will limit the request options to post only.
Now to the second "issue", you need to change all your links so that you use post instead of get, you can do this by using ajax, check out $.post in jQuery for that.
This doesn't solve any security issues with your parameters though, it generally doesn't matter if you show it in the querystring or of it is sent by a post. If someone wants to inject something into your post-data, it's not rocket science.
You have to wrap it in a form for it to work; with the inputs being hidden. On the server side you have to restrict the action to only responding to a POST request. However, this doesn't really solve your problem as a sufficiently interested and knowledgeable user can just as easily craft a POST as a GET.
You can add form to the view and apply [HttpPost] attribute for the action which will take the model after the post.
Adding form to the razor view (also you will need a button or a link to sumbit):
@using (Html.BeginForm("SomeAction", "SomeController", FormMethod.Post, new { @id = "someFormId" }))
{
@Html.HiddenFor(model => model.some)
@Html.HiddenFor(model => model.foo)
}
And here is a Controller with action to proccess your post:
public class SomeController : Controller
{
[HttpPost]
public ActionResult SomeAction(SomeModel model)
{
//process 'some' and 'foo' here
return View(model);
}
}
To enhance security you can easily encrypt/decrypt "some" and "foo" values.
