I was reading that it was a good idea to convert all GET type requests to a json resource to POST in order to prevent another site from stealing information through <script src="myEndpoint">
but I'm still trying to make sense of it. It seems that this would would only protect against that scenario or possible enumeration of the endpoint.
I am planning for our json resources to require an auth token in the auth header in order for the action to execute and return JSON. Should this be good enough?