The biggest change in this release is the way the PreventCSRF, PreventSQLi and PreventXSS options work. In previous release, those options could only be turned on of off. The idea of those features was to only turn them on when a web application was vulnerable for such attack or there was a serious suspicion it was. However, many people turned them on, even when the web application was very secure. This led to issues, specially with the PreventSQLi option, because requests that would lead to an SQL injection on a vulnerable application were blocked. But since the application was not vulnerable for SQL injection, the block was unjust.
To make those options more useful, you can now make Hiawatha run them in detect-mode. Hiawatha will look for attacks, report them (via logfiles and the Monitor), but won't block any request. You can use this to learn what kind of attacks take place at your website, the amount of attacks and, most important, how many of those attacks are actual attacks or only match the pattern of an attack.
The Let's Encrypt script and the support for it has also been improved. The script itself now supports revocation of a certificate. Hiawatha will now also ignore the RequireTLS setting for requests to /.well-know/acme-challenge/, because the Let's Encrypt CA server will request a verification file from that directory during certificate request or renewal via HTTP. A redirect to HTTPS will disrupt that process.