I just uploaded a new release of ajaxCFC with some really nice additions.
ajaxCFC now supports built-in improve security, enforcing get or posts verbs, and also optionally checks for the http-referer to match your site. These two checks will prevent a third party to monitor http packets and try to call them manually by pasting the full ajax request to a browser.
I personally always Firefox and Live HTTP headers debug my ajax applications and I recommend using get methods and allow blank referers for development environments; but you need to be able to lock it down for production.
And talking about development, don't you hate when you think you're doing everything right, but there is no way to see what the server is getting out of your ajax request? I added some debugging abilities too that write into a debug file.
More details on the implementation of these updates are available in the documentation inside the download.