Current situation:
- Multi-provider network (medical)
- Multiple public websites that rely at least partially on an in-house CMS for updating content such as articles, location addresses, office phone numbers, etc.
- SSL certificate for all sites
- Machine-to-machine JWT authentication (R256), where the token is "minted" upon each restart of the application pool in IIS, or when the existing token's lifespan expires
- No log-ins for these sites; they are just informational; all users are "anonymous" visitors
- Development is a combination of ASP Classic and .NET, depending on the site.
My question is: is that enough, in this scenario, to protect the CMS's APIs? If not, what other measure(s) would you recommend?
