Skip to content

Error reporting

HTTP status codes often provide sufficient error information. But sometimes the client needs additional details.

If your APIs follow the FHIR standard, the server MUST return the OperationOutcome resource.

For non-FHIR APIs, the server SHOULD follow RFC7807 or, where applicable, the JSON API specification.

When returning error information, the server MUST NOT include unnecessary or sensitive data that attackers could exploit. See also the OWASP 10 & Minimise Information Disclosure sections.

The server MUST use HTTP status codes in the 5xx range to indicate server errors. For client errors, the server SHOULD return a 4xx status code.

Practical tips

ASP.NET Core's ProblemDetails formats errors according to RFC7807.

Further reading and information

OperationOutcome - FHIR v4.0.1

RFC 7807 - Problem Details for HTTP APIs

JSON:API --- A specification for building APIs in JSON