Return proper HTTP status codes for errors

Related rules

From the same buckets as this rule.

• Critical

  Check consent and role-based authorization before returning ePHI

  Handlers must verify the requester’s role and a valid consent/relationship (e.g., care team assignment) before disclosing ePHI; include Purpose-Of-Use in the decision and audit the outcome.

  compliance-hipaasecurity-hardening+2
• Critical

  Children's data: verify age and parental consent

  If data subject is a child/adolescent, require age verification and parental/legal guardian consent prior to processing; deny processing otherwise and do not store the payload.

  compliance-lgpdapi-conventions+1
• Critical

  Disallow public ingress without explicit allowlist

  For Ingress/Service of type LoadBalancer, require host/path allowlist and TLS; forbid 0.0.0.0/0 exposure without WAF or Auth.

  infra-as-codesecurity-hardening+1