I have come to the conclusion that, regardless of whether it is safe, it doesn't make sense to increase the attack surface when I can just use https and tokens, so that's what I am going to do.
Are you already exposing HTTPS? Because if not you would still be "increasing your attack surface".