Thx for taking it serious. :^:
I've posted this some month before already:
:!: The only security issue with HFS is, that f.e. with Opera the user:password can be guessed/bruteforced endlessly without an "access denied" screen.
Workaround: none , but choose a "strong" user:pass combination!
:!: Never make your (unedited) hfs.ini available. It contains the encoded user:pass combinations, eventually your dyndns login information and some other private info. (You don't share your windows system files too, don't you?)
:!: With the ~files.lst command files from a protected directory can be listed, not downloaded. This could be a privacy issue.
Workaround: Place an empty directory inbetween (and don't publish its name).
:!: If you want to respect the privacy of your visitors,- i hope you do-, never give access to your logfiles, too! (And don't put one of these infamous statcounters on your site, which has often the same or even worse effect!)
Maybe a "sticky", Rejetto?