Zato Blog: HL7 FHIR Security with Basic Auth, OAuth and SSL/TLS

FHIR servers use RESTful APIs and employ security mechanisms like Basic Auth, OAuth, and SSL/TLS for access control. Basic Auth utilizes username and password credentials, while OAuth uses tokens and scopes for authorization. SSL/TLS encrypts connections and certificate validation options include skipping validation, using the default bundle, or uploading a custom bundle. When integrating with FHIR servers, consult with maintainers to determine the appropriate security mechanisms to use. Basic Auth and OAuth are mutually exclusive for HTTP connections, as only one Authorization header is allowed. However, SSL/TLS can be used with either Basic Auth or OAuth, or even without authorization headers. Zato provides options to configure Basic Auth, OAuth, and SSL/TLS settings for FHIR connections. OAuth involves periodic token refresh, while SSL/TLS requires certificate validation options. Custom CA certificate bundles can be uploaded if the FHIR server uses a non-public CA. Explore further resources to enhance your understanding of FHIR security.