What is the best way to check that requests to a cfc is comming from a swf file an a specific server? Can it be spoofed?
A server can only check what it is *sent*, all of which is inside the CGI scope. Most (all?) of this data can be spoofed, hence the need for firewalls which can inspect packets far more closely.
Do a dump of the CGI scope, you'll see what you get. You can check the CGI.REMOTE_ADDR to get the IP of the remote server, but you can't know the name of the page that made the call, no.
You may also want to take a look at the HTTP_USER_AGENT in the CGI scope as well. The call from the SWF might appear different from what you might expect would be the typical user agent of a browser. Of course, there pretty much is no guarantee that those values aren't spoofed.
If you want to lock down your remote calls to ensure that you are only providing data to your internal application, your best bet is to implement a validation security routine that you can use to verify that a request is valid (assuming that you control the code behind the SWF and the CFC).
What is the best way to check that requests to a cfc is comming from a swf file an a specific server?
A simple solution, here and in most http communication, is to require the requester to send you a security token in the query string.
Can it be spoofed?
Yes, however with difficulty, depending on how hard it is to guess your token.