Hi Please check the "HFS Download Support for IP Phone Firmware and Configuration Files" section of the following link which has the following security recommendations

Security Recommendations

Like any access interface, the HFS download service can open router files that should only be accessed by authorized persons. Security issues are made more severe by the fact that the HFS download service is HTTP based, enabling anyone with a simple web browser to access sensitive files, such as configuration or image files, by entering a random string of words.

However, the HFS security problem is restricted to the loose binding operation, where the administrator provides an HFS home path in which the phone firmware and other related files are stored.

In the case where a unique directory path (where only the phone firmware files are stored) is used as the HFS home path

only those files that are in flash:/cme/loads/ can be accessed.

But when it is the root directory path that is used as the HFS home path

there is a risk of making configuration files and system images, which are stored in the root directory shared with the phone firmware files, accessible to unauthorized persons.

The following are two recommendations on how to make firmware files inaccessible to unauthorized persons:

• Create a unique directory, which is not shared by any other application or used for any other purpose, fpr IP phone firmware files. Using a root directory as the HFS home path is not recommended.
• Use the ip http access-class command to specify the access list that should be used to restrict access to the HTTP server. Before the HTTP server accepts a connection, it checks the access list. If the check fails, the HTTP server does not accept the request for a connection. For more information on the ip http access-class command, see Cisco IOS Web Browser Commands.

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucme/admin/configuration/guide/cmeadm/cmesystm.html#pgfId-1059165

Manish