Originally Posted by sith717
You stay on the same page all the time.
Yeah that could work however as others have mentioned hiding the actual URL behind a static URL is a bad
idea and will only stop the most novice of users. Not to mention it makes it a major pain in the butt for the users for your site. You make it impossible to ever bookmark any pages or return to a specific page directly. Using frames to keep one URL in the address bar is bad design.
If your client's security audit says having "real" URLs is bad security then the audit is wrong. What you put in the URL can
lead to poor security but that's why you write proper sever side code to sanitize and sanity check all inputs, as abduraooft already mentioned.
I have a feeling your client and/or you are misunderstanding what the actual problem is that the security audit found.