HighFile-scopePHP Plug & play

Return proper HTTP status codes

Return 2xx only on success; use 4xx for client errors and 5xx for server errors, with a minimal JSON error body.

Why this matters

Correct semantics enable clients and monitors to react properly.

Side-by-side examples engineers can pattern-match during review.

Avoid

http_response_code(200);
echo json_encode(['error'=>'failed']);

Prefer

http_response_code(400);
header('Content-Type: application/json');
echo json_encode(['error'=>'invalid_request']);

Bad

200 + error body

Good

400 + {"error":"..."}

From the same buckets as this rule.

Critical
Check consent and role-based authorization before returning ePHI
Handlers must verify the requester’s role and a valid consent/relationship (e.g., care team assignment) before disclosing ePHI; include Purpose-Of-Use in the decision and audit the outcome.
compliance-hipaasecurity-hardening+2
Critical
Children's data: verify age and parental consent
If data subject is a child/adolescent, require age verification and parental/legal guardian consent prior to processing; deny processing otherwise and do not store the payload.
compliance-lgpdapi-conventions+1
Critical
Disallow public ingress without explicit allowlist
For Ingress/Service of type LoadBalancer, require host/path allowlist and TLS; forbid 0.0.0.0/0 exposure without WAF or Auth.
infra-as-codesecurity-hardening+1