Connecting Amazon Alexa to web_lirc, best practice?

Question

I have successfully created demo project where i can control an infrared transmitter using the Amazon Echo Alexa.

Moving forward with my project I'm not sure what the best practices would be in relation to performance and mostly important security. I will explain the project below and elaborate on the issues:

1. Installed nodejs server on a Raspberry pi running on port 1234
2. Installed web_lirc to be able to have an nodejs api interface to LIRC

3. Created an AWS-lambda skill based on the HelloWorld nodejs template with my own simple "hack" working but not pretty :) See code snippet below:

   var http = require('http');
   var host = '12.34.56.78'; // (no http/https !)
   var port = 3000;
   var cmd  = '';
   
   function performMacroRequest(endpoint, data) 
   {
   cmd = '/macros/' + endpoint;
   //console.log('cmd: ' + cmd);
   
   var options = {
       host : host,
       port : port,
       path : cmd, // the rest of the url with parameters if needed
       method : 'POST'
   };
   
   http.request(options, function(res) 
   {
       console.log('performMacroRequest - STATUS: ' + res.statusCode);
       res.on('data', function (chunk) 
       {
           console.log(cmd + ': '+ chunk);
       });
   }).end();
   }
    //       
   var APP_ID = "protected by me"; // Amazon Alexa hardware ID  
   
   HelloWorld.prototype.intentHandlers = {
       // register custom intent handlers
       "HelloWorldIntent": function (intent, session, response) 
       {
           response.tellWithCard("Hello World!", "Hello World", "Hello World!");
       },
       "IRIntent": function (intent, session, response) 
       {
           performMacroRequest('TESTTV','');
       },
       "AMAZON.HelpIntent": function (intent, session, response) {
           response.ask("You can say hello or cake to me!", "You can say hello or cake to me!");
       }
   };
   

The issues as i see them, but are not sure how to address:

1. The best and most secure way to control my Raspberry web service from AWS. What would be the best option to control external hardware, is that using a webservice and what about protection?
2. Currently i need to have the port open in my router, so basically everyone with access to my IP could control my raspberry using JSON POST/GET commands. What could be a potential solution, is that to add an overlaying web interface with password protection?
3. Is it possible to have Alexa talking directly with my hardware on LAN without going trough AWS Lambda?

Overall i think I'm asking for the best practices(technically/security) on having Alexa to access local nodejs server.

Please let me know if anything has to be elaborated or explained in more details.

/Thomas