public facing is fine

Not exactly, if it is something unintentionally public facing, that can get you charged with access a computer without authorization under the the Computer Fraud and Abuse Act. This happened in this case: en.wikipedia.org/wiki/Goatse_Security#AT&T/iPad_e…

sending a HTTP request with a valid ICC-ID embedded inside it to the AT&T website, the website would reveal the email address associated with that ICC-ID.

On November 20, 2012, Auernheimer was found guilty of one count of identity fraud and one count of conspiracy to access a computer without authorization

More information: www.wired.com/…/hacking-choice-and-disclosure/