The application should use an HTTP Post whenever it is sending any sensitive data to the application. This includes things like SSNs, CC #s, passwords, session IDs, etc. Suppress support for URL rewriting of session cookies. Any data as part of URL parameters will be leaked in web server log files, and be included in the browser's favorites (if bookmarked) and in the address bar history.