V3 and up of PiAware uses lighttpd as the webserver on port 80. This is a much more robust webserver than the one that was built into earlier versions of PiAware and which ran, and still runs, on port 8080. While there is some additional risk, opening port 80 to the internet is not as big a problem with lighttpd as it was with earlier versions. For example, simply submitting an invalid URL would crash the old built in webserver. Lighttpd returns 404, which is the correct response.
I use a web proxy from an apache webserver to my PiAware. Setting that up is beyond the scope of this post, but so far, touch wood, it has not been a problem.
You could forward some obscure port to your internal PiAware port 80. …security by obscurity…not great, but it might help a bit.