Skins can now set this in their skin.conf: state-change-require=POST which is recommended. When set, DA will only allow state-change operations though POST commands. As some 3rd party skins may not be doing this already, it's off by default. Only applies to session-based connections. CMD_API calls that authenticate with each call are not affected. Some custom skins may require a few changes to forms below to ensure setting the variable doesn't break current forms. Some of the changes below are set in the table tokens, not skin html, so not all entries need addressing (if your skin uses table tokens) =============== Internal code change areas, only enforced if skin has it enabled. Confirmed User deletion: changed to POST CMD_ALL_USER_SHOW: POST CMD_USER_SHOW: POST CMD_SHOW_SERVICES: changed table to use POST forms CMD_SERVICE: requires POST reseller/show_user.html: delete/suspend/unsuspend forms, POST CMD_API_GET_SESSION: requires POST =============== June 19: Update: Saving "Admin Settings" action=conf ended with a CMD_SERVICES GET redirect to restart directadmin. Changed to internally push the reload to the task.queue without the redirect.