Note: This version is in draft.
General API Guidance
Purpose
This site is intended for use by software developers looking to build a conformant GP Connect API interface with a focus on general API implementation guidance.
Notational conventions
The keywords ‘MUST’, ‘MUST NOT’, ‘REQUIRED’, ‘SHALL’, ‘SHALL NOT’, ‘SHOULD’, ‘SHOULD NOT’, ‘RECOMMENDED’, ‘MAY’, and ‘OPTIONAL’ on this site are to be interpreted as described in RFC 2119.
General standards
Information on the technical standards that SHALL be conformed to can be found in the sections below and throughout the GP Connect specification.
Important: Any additional principles highlighted in the GP Connect specification MUST take precedence over those defined in these technical standards.
Internet standards
Clients and servers SHALL be conformant to the following Internet Engineering Task Force (IETF) request for comments (RFCs), which are the principal technical standards that underpin the design and development of the internet and thus FHIR's APIs.
- transport level integration SHALL be via HTTP as defined in the following RFCs: RFC 7230, RFC 7231, RFC 7232, RFC 7233, RFC 7234 and RFC 7235
- transport level security SHALL be via TLS/HTTPS as defined in RFC 5246 and RFC 6176
- HTTP Strict Transport Security (HSTS) as defined in RFC 6797 SHALL be employed to protect against protocol downgrade attacks and cookie hijacking
Important: NHS Digital is currently evaluating how cross-origin resource sharing (CORS) will be handled for web and mobile based applications.