Hi,
In the HFS window, press Alt+F6 to open "event script", put the following inside:
[request]
{.if|{.!=|{.header|Host.}|mydomain.com:8080.}|{:{.disconnect.}:}.}
Replace the domain name with yours, and omit the port if it's 80
Save it with Ctrl+S. Now HFS will disconnect any browser request not coming from the domain.
In order to allow localhost/127.0.0.1, use this:
[request]
{.if|{.and|
{.!=|{.header|Host.}|localhost:8080.}|
{.!=|{.header|Host.}|127.0.0.1:8080.}|
{.!=|{.header|Host.}|mydomain.com:8080.}
.}|{:{.disconnect.}:}.}
This is a whitelist pattern. You can put even more.
These can't prevent request header forgery, though. But this is very rare for normal people with a normal browser...