Audit controller actions vs API available/needed

While preparing the Swagger spec I discovered we might be making quite a few controller action available to external APIs that don't need to be.

Audit and restrict. Careful, many of our web pages do request information through ajax calls even if those actions aren't really needed by any other external APIs.
