HighFile-scopeC# Plug & play

Use appropriate HTTP status codes

Return 2xx on success, 4xx for client errors, and 5xx for server errors with minimal, non-sensitive bodies.

Why this matters

Correct semantics enable predictable client behavior and monitoring.

Side-by-side examples engineers can pattern-match during review.

Avoid

return Ok(new { error = "failed" });

Prefer

return StatusCode(StatusCodes.Status500InternalServerError, new { error = "internal_error" });

Bad

return Ok(new { error="x" })

Good

return BadRequest(new { error="invalid" })

From the same buckets as this rule.

Critical
Check consent and role-based authorization before returning ePHI
Handlers must verify the requester’s role and a valid consent/relationship (e.g., care team assignment) before disclosing ePHI; include Purpose-Of-Use in the decision and audit the outcome.
compliance-hipaasecurity-hardening+2
Critical
Children's data: verify age and parental consent
If data subject is a child/adolescent, require age verification and parental/legal guardian consent prior to processing; deny processing otherwise and do not store the payload.
compliance-lgpdapi-conventions+1
Critical
Disallow public ingress without explicit allowlist
For Ingress/Service of type LoadBalancer, require host/path allowlist and TLS; forbid 0.0.0.0/0 exposure without WAF or Auth.
infra-as-codesecurity-hardening+1