Since version 6.10, Hiawatha has protection against Cross-Site Request Forgery. You can turn this feature on per virtual host:
PreventCSRF = yes
If it's turned on, Hiawatha will not send cookies to a CGI process when a POST request has been received with a hostname from the Referer HTTP header not matching the Host HTTP header line. This will automaticly logout users from that website. I choose to only protect against POST-CSRF requests, because 99.99% of all websites use POST requests to add, modify or delete information within the website, not GET requests. Almost all GET requests with a Referer not matching the Host are not dangerous. They are because of a simple and harmless link on one website to another.