Trying to hide URL parameters from http GET by reposting using http POST

I've been using the http GET where parameters are passed, and then I create a custom web page (after grabbing information from the database assuming the username and password are valid).
The issue I've had is that the URL shows those parameters including password.

eg. http://localhost:8080/testget/myUser/myPassword

I finally got around to trying a POST from inside the generated web page, which wraps those parameters in JSON. I think I finally got the POST to work using window.document.write() but the parameters still show on the URL.

The enclosed flow encapsulates a sample invoked as repeated here:

 http://localhost:8080/testget/myUser/myPassword

Then click the hide password button which invokes the POST to /posttest. But the URL doesn't change.

Any ideas on how to accomplish the hiding of values? Or another way to redirect to the generated html code from node-red? Also since this includes CSS, SCRIPT and HTML, the getElementById(html) won't work.

thanks,

[{"id":"f0758282d23c7a8a","type":"tab","label":"POST vs GET","disabled":false,"info":"","env":[]},{"id":"9e382bde773a1058","type":"function","z":"f0758282d23c7a8a","name":"Change POST to msg.req.params.NAME","func":"\n\n\n\nvar username = msg.payload.username;\nvar password = msg.payload.password;\nvar guestpassword = msg.payload.guestpassword;\n\nmsg.req.params.NAME = username;\nmsg.req.params.PASSWORD = password;\nmsg.req.params.GUESTPASSWORD = guestpassword;\n\nconsole.log(\"args: \" + msg.req.params.NAME + \", \" + msg.req.params.PASSWORD);\nreturn msg;","outputs":1,"noerr":0,"initialize":"","finalize":"","libs":[],"x":240,"y":540,"wires":[["30ce8ae681d6a2ee"]]},{"id":"73ba552528969e57","type":"http in","z":"f0758282d23c7a8a","name":"","url":"posttest","method":"post","upload":false,"swaggerDoc":"","x":120,"y":440,"wires":[["9e382bde773a1058"]]},{"id":"1707616b797b53e8","type":"http response","z":"f0758282d23c7a8a","name":"","statusCode":"","headers":{},"x":850,"y":540,"wires":[]},{"id":"c1289b1715bd9d88","type":"change","z":"f0758282d23c7a8a","name":"set headers","rules":[{"t":"set","p":"headers","pt":"msg","to":"{}","tot":"json"}],"action":"","property":"","from":"","to":"","reg":false,"x":670,"y":520,"wires":[["1707616b797b53e8"]]},{"id":"30ce8ae681d6a2ee","type":"template","z":"f0758282d23c7a8a","name":"Create Web Page with parameters","field":"payload","fieldType":"msg","format":"handlebars","syntax":"mustache","template":"<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\"\n        \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\n<html xmlns=\"http://www.w3.org/1999/xhtml\" xml:lang=\"en\" lang=\"en\">\n  <head>\n<title>Test POST vs GET</title>\n<meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n<link rel=\"stylesheet\" href=\"https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css\">\n<style>\n\n/* Style the buttons */\n\n.button {\n  background-color: #33FFFF;\n  color: black;\n  font-size: 36px;\n  border: 2px solid #4CAF50;\n  border-radius:12px;\n\n}\n\n.button:hover {\n  background-color: lightblue;\n   font-size: 36px;\n  color: white;\n}\n</style>\n\n</head>\n\n<script>\nvar _semanticMarkerFlowURL = \"http://localhost:1880/\";\n\n// Change to TRUE on the final version.. AND uncomment out the _devicesJSON (since the JSON cannot use a \" \"\nvar _useFinal = true;\nvar _username;\nvar _password;\nif (_useFinal)\n{\n   _username = \"{{req.params.NAME}}\";\n   _password = \"{{req.params.PASSWORD}}\";\n}\nelse\n{\n\n    _username = \"scott\";\n    _password = \"pass102\";\n}\n\n\n//!test the POST, Only send username and password\nfunction repostToHidePassword()\n{\n\t var flowMetaJSON = { \"username\" : _username,\n\t\t\t\t\t\t  \"password\" : _password\n\t\t\t\t\t\t\t\t};\n\n\n    let xhr = new XMLHttpRequest();\n    xhr.open(\"POST\", \"http://localhost:1880/posttest\");\n\n    xhr.setRequestHeader(\"Accept\", \"application/json\");\n    xhr.setRequestHeader(\"Content-Type\", \"application/json\");\n\n    xhr.onreadystatechange = function () {\n      if (xhr.readyState === 4) {\n\t\t  // replace with the result html + css + script \n\t\tdocument.open();\n        document.write(xhr.responseText);\n        console.log(xhr.responseText);\n        document.close();\n        //tried this:\n                // window.location.assign(_semanticMarkerFlowURL + \"testpost\");\n\n      }};\n    xhr.send(JSON.stringify(flowMetaJSON));\n}\n\nwindow.onload = function()\n{\n    //update the html elements with parameters\n   document.getElementById('_userId').innerHTML = _username;\n   document.getElementById('_userIdPass').innerHTML = _password;\n}\n\n</script>\n\n<body>\n<h1 >POST Testing</h1>\n<br>\n<h2 id=\"_userId\">user</h2>\n<h2 id=\"_userIdPass\">pass</h2>\n<br>\n<input type=\"button\" class=\"button\" id=\"repost\" value=\"hide password\" onClick=\"repostToHidePassword()\" />\n\n","output":"str","x":600,"y":580,"wires":[["c1289b1715bd9d88"]],"icon":"node-red/alert.svg"},{"id":"efaea5db050195b4","type":"http in","z":"f0758282d23c7a8a","name":"","url":"/testget/:NAME/:PASSWORD","method":"get","upload":false,"swaggerDoc":"","x":180,"y":600,"wires":[["30ce8ae681d6a2ee"]]},{"id":"5e38d6cc45cd46f7","type":"comment","z":"f0758282d23c7a8a","name":"posttest needs JSON values for NAME and PASSWORD","info":"","x":250,"y":400,"wires":[]},{"id":"2dad8e6c58315318","type":"comment","z":"f0758282d23c7a8a","name":"testget uses values for NAME and PASSWORD","info":"","x":240,"y":660,"wires":[]},{"id":"a1d2dec90bfa3d23","type":"comment","z":"f0758282d23c7a8a","name":"Convert JSON into  NAME and PASSWORD","info":"","x":290,"y":500,"wires":[]}]