To turn things around a little: If you have sensitive data you don't want to make visible by appending it to the URL, you can put it in "hidden" form fields. They still go to the server, but as form fields instead of a URL
string. This has the effect of making them invisible in a browser's address field. Of course, they're not encrypted or anything, and would still be accessible to a determined snooper. But hiding data via POST has the advantage of preventing dumb questions from users, like "what's all that stuff at the end of the URL?"