Indeed. I actually just finished implementing the secret token method throughout my app less than a minute ago. I have fullscreen and mobile versions... and without going into too much detail on exactly why in my particular case, it's cleaner and easier to use simple links (i.e., GET) for something like removing items from lists... so the token method is the only feasible solution to prevent something like I mentioned in my other comment (fake images and what not). But with the fullscreen version, since it's all AJAX and to make things easy on myself, I converted everything (except file uploads) to send data via POST (all links are generated by a function so instead of href it's onclick+ajax)... along with the token too of course... which was all a win-win because I lifted the data limit that GET used to impose as well.

But anyway... today I learned that even though GET and POST are no different security-wise... always use a secret token when security is an issue... and it's best to use POST because it allows MUCH more data than GET.