I could see the node being placed under /content in AEM in the reference article below
http://www.sgaemsolutions.com/2017/07/reset-password-using.html
Would it be best to maintain it below content ?
Hello,
I think its depend on your approach how you are planning to implement it. If, you are cross verifying via managing some validation that the person who is accessing this URL is same who requested for reset password then you are doing ok because you can easily stop those unwanted hit during validation (also, you can apply permission on this node hierarchy for access). But, if not then and want to protect your system from unwanted hits then captcha or moving this path configuration to Site context aware configuration (via wcm.io https://experienceleague.adobe.com/docs/experience-manager-core-components/using/developing/context-aware-configs.html?lang=en) will be better approach.
I hope, it helps you to make decision.
Thanks!!
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.