@dee for most attacks it's pretty much the perfect way of mitigating things, the only issue is that if you sell that on the mass market you have to figure out how to enumerate all the urls.

The other thing of course that it doesn't protect you from is things like WordPress that conveniently accept POST requests on any URL and then actions them.