Security
Security modelโ
The AJ Smart FHIR Platform implements defence-in-depth across every layer.
Authentication + token securityโ
| Control | Implementation | Detail |
|---|---|---|
| PKCE S256 | requireProofKey(true) | 96-byte verifier, S256 challenge โ no opt-out |
| Launch tokens | Atomic SQL UPDATE WHERE used=false | Single-use, 5-minute expiry, race-condition safe |
| JWT signing | RS256, 2048-bit RSA | JWKS endpoint, automatic key rotation support |
| id_token | Full Nimbus RS256 verification | RemoteJWKSet โ verifies signature, iss, aud, exp, nonce |
| Token refresh | Rotation enforced | reuseRefreshTokens(false) |
| Session fixation | changeSessionId() | Spring Security default protection |
| CSRF | CookieCsrfTokenRepository | httpOnly=false for JS access where required |
Data protectionโ
- Bearer tokens are masked in all log output โ
SmartLaunchContext.toString()redactsaccess_token - No PHI in log files โ patient IDs logged only at DEBUG level
- Log injection prevented โ error parameters sanitised with
replaceAll("[\r\n\t]", "_") - PostgreSQL credentials have no hardcoded defaults โ startup fails fast if not set
Network securityโ
- All production endpoints require HTTPS โ
issvalidation rejects HTTP for non-localhost origins - ISS
userinfo@bypass blocked โURI.getUserInfo() != nullcheck prevents authority parsing attacks - JWKS endpoint is public (read-only RSA public key) โ no authentication required
Persistent RSA key (production requirement)โ
Without a keystore, a new RSA key pair is generated on every server restart. All existing tokens become invalid.
Generate a persistent keystore for production:
keytool -genkeypair -alias smart-fhir-server \
-keyalg RSA -keysize 2048 -storetype PKCS12 \
-keystore smart-fhir-server.p12 -validity 3650
Set KEYSTORE_PATH and KEYSTORE_PASSWORD environment variables.
Vulnerability disclosureโ
Security vulnerabilities must be reported privately โ do not open a public GitHub issue.
Email: security@ajsmart.com
PGP key: Available on request
Response times:
- Acknowledgement: within 24 hours
- Initial assessment: within 72 hours
- Enterprise/Government customers: security patches within 24 hours of confirmed vulnerability
Complianceโ
| Framework | Status | Detail |
|---|---|---|
| HIPAA | Supported | Audit trail, access controls, minimum necessary principle |
| GDPR | Supported | Consent lifecycle, right to withdraw, audit log |
| HTI-1 / TEFCA | Compliant | SMART App Launch v2.2 as mandated |
| IHE ATNA | In progress | FHIR AuditEvent logging โ v1.1.0 |
| ISO 27001 | Roadmap | Security management framework alignment |
Penetration testingโ
Enterprise and Government support customers can request a copy of the most recent security assessment report. Contact support@ajsmart.com.