I don't really want to use GET since it shows the info in the URL. (security thing)

What leads you to believe that a client could not also show the contents of a POST request?

All you know about the client is that it speaks HTTP. It could do anything it wants with what you send to it, and it could send anything back.

Assuming you have a finite amount of time to write a secure application, spend your time doing things that will provide actual security, not superficial security.

Of course, if you're doing internal development and you know that no one will ever use anything other than the company-mandated web browser, even by accident, you can make other assumptions. Do be cautious though.