Using POST instead of GET for search operations
It has been noticed that both the retrieve and search PDS FHIR APIs expect the search parameters as a query string. This means that private data like name, date of birth, NHS number etc. should be sent in plain-text format through the URL. This URL may get logged in different components/ systems involved in this flow and will be visible to anyone having log access. The proposal is to provide a POST version of the APIs so that the details can be sent via the request body that is protected via the Transport Layer Security
Comments: 2
-
12 Jan, '22
Tony Heap AdminThanks for the suggestion Deepa. It is something we already have at the back of our minds - not just for the PDS FHIR API but for all our APIs. Not least because the FHIR standard mandates that it should be possible to search using HTTP POST (https://www.hl7.org/fhir/STU3/http.html#search). I've added it to our backlog of work to be prioritised. We have a lot of other work on which is also valuable so it might not happen immediately.
-
13 Jan, '22
Tony HeapWe've had some further discussions internally on this. Our view is:
1) all requests and responses are encrypted via TLS so the PID is protected on the wire
2) our logging tools have redaction built into them so that URL parameters are excluded from any logs that are not tightly locked down
3) therefore there is no strong benefit of having a POST option
4) we've not 100% convinced that POST is mandated for searches in FHIR - there seems to be some disagreement amongst the experts
Given how much other work we have to do, and given the taxpayer is paying for this, we're going to descope this item.