Do not put the secret value in URLs for C<GET> requests.
+=head2 NON-PAGE RESOURCES
+
+Some, but not all, non-page resources (fetched with GET) need to have
+the secret hidden parameter in the query parameters in the form url.
+
+So if your application supports anything except HTML pages you need to
+take special measures. (Wholly invariant resources which don't depend
+on which user is logged in are an exception.)
+
+When you generate a url to such a resource you must call
+resource_get_needs_secret_hidden to find out whether to include the
+hidden form parameter xxx fixme
+
+You can only when logged in
+
+ call
+C<nonpage_ok> when you are processing one of these. You need to
+supply a parameter specifying exactly what kind of resource this is:
+
+
+
+before you
+generate any output
+
+ (other than
+
+
=head2 MUTATING OPERATIONS AND EXTERNAL LINKS INTO YOUR SITE
By default CGI::Auth::Flexible does not permit external links into