diff --git a/browserid/lib/wsapi.js b/browserid/lib/wsapi.js
index c2761d5ad916d553fed6f94382779c607d960e43..a58a1e60f69479696489d2e672b08f5d8b34e46b 100644
--- a/browserid/lib/wsapi.js
+++ b/browserid/lib/wsapi.js
@@ -63,12 +63,12 @@ function setup(app) {
    * this involves creating a secret url that must be delivered to the
    * user via their claimed email address.  Upon timeout expiry OR clickthrough
    * the staged user account transitions to a valid user account */
-  app.get('/wsapi/stage_user', checkParams([ "email", "pass", "pubkey", "site" ]), function(req, resp) {
+  app.post('/wsapi/stage_user', checkParams([ "email", "pass", "pubkey", "site" ]), function(req, resp) {
       
       // bcrypt the password
       // we should be cloning this object here.
-      var stageParams = req.query;
-      stageParams['hash'] = bcrypt.encrypt_sync(req.query.pass, bcrypt.gen_salt_sync(10));
+      var stageParams = req.body;
+      stageParams['hash'] = bcrypt.encrypt_sync(stageParams.pass, bcrypt.gen_salt_sync(10));
         
       try {
         // upon success, stage_user returns a secret (that'll get baked into a url
diff --git a/browserid/static/dialog/controllers/dialog_controller.js b/browserid/static/dialog/controllers/dialog_controller.js
index 8744d723808a298ffbd0c439626d79e658ef1e58..05d2734098538bd5eced4fe7b0406ec2f8fb932f 100644
--- a/browserid/static/dialog/controllers/dialog_controller.js
+++ b/browserid/static/dialog/controllers/dialog_controller.js
@@ -191,11 +191,14 @@ $.Controller("Dialog", {}, {
       var self = this;
 
       $.ajax({
-          url: '/wsapi/stage_user?email=' + encodeURIComponent(email)
-            + '&pass=' + encodeURIComponent(pass)
-            + '&pubkey=' + encodeURIComponent(keypair.pub)
-            + '&site=' + encodeURIComponent(this.remoteOrigin.replace(/^(http|https):\/\//, '')),
-            success: function() {
+          type: "post",
+          url: '/wsapi/stage_user',
+          data: {email: email,
+              pass: pass,
+              pubkey : keypair.pub,
+              site : this.remoteOrigin.replace(/^(http|https):\/\//, ''),
+              csrf : self.csrf},
+          success: function() {
             // account successfully staged, now wait for email confirmation
             self.doConfirmEmail(email, keypair);
           },
diff --git a/browserid/tests/registration-status-wsapi-test.js b/browserid/tests/registration-status-wsapi-test.js
index 96a0bdb8ac7a5c52f293c83482743cce78181d9c..eec961955cc2df13206b90e8e6815e0d5a1e7515 100755
--- a/browserid/tests/registration-status-wsapi-test.js
+++ b/browserid/tests/registration-status-wsapi-test.js
@@ -31,7 +31,7 @@ suite.addBatch({
 // now start a registration
 suite.addBatch({
   "start registration": {
-    topic: wsapi.get('/wsapi/stage_user', {
+    topic: wsapi.post('/wsapi/stage_user', {
       email: 'first@fakeemail.com',
       pass: 'firstfakepass',
       pubkey: 'fakepubkey',
@@ -112,7 +112,7 @@ suite.addBatch({
 
 suite.addBatch({
   "re-registering an existing email": {
-    topic: wsapi.get('/wsapi/stage_user', {
+    topic: wsapi.post('/wsapi/stage_user', {
       email: 'first@fakeemail.com',
       pass: 'secondfakepass',
       pubkey: 'secondfakepubkey',