Can't rely soley on HTTP_REFERER
HTTP_REFERER is a good defence, but can not be the sole defence, because certain systems remove the referrer from requests (yes, I'm looking at you, Norton Internet Security).
GET should never do anything but fetch content for viewing. http://example.com/script?do=delete&what=all_my_stuff is going to be bad news.
POST should always be used for data-altering actions, but as forms can be forged and auto-submitted using javascript, this should not be relied upon as the sole defence either.
If you avoid auto-submission of forms by disabling javascript, you're still not safe from form forgery. Consider this:
<form action="bank.com" method="post">
<input type="hidden" name="do" value="transfer" />
<input type="hidden" name="account" value="12345678" />
<input type="hidden" name="value" value="5000.00" />
Rate this image:
<input type="radio" name="rating" value="3" />Great
<input type="radio" name="rating" value="2" />Mediocre
<input type="radio" name="rating" value="1" />Terrible
<input type="submit" value="Go" />
The only secure defence right now is the security token.