public facing is fine
Not exactly, if it is something unintentionally public facing, that can get you charged with access a computer without authorization under the the Computer Fraud and Abuse Act. This happened in this case: https://en.wikipedia.org/wiki/Goatse_Security#AT&T/iPad_email_address_leak
sending a HTTP request with a valid ICC-ID embedded inside it to the AT&T website, the website would reveal the email address associated with that ICC-ID.
On November 20, 2012, Auernheimer was found guilty of one count of identity fraud and one count of conspiracy to access a computer without authorization
More information: https://www.wired.com/2012/11/hacking-choice-and-disclosure/
Related classic: https://youtu.be/in6RZzdGki8