A header to indicate existence of Personal Identifiable Information (PII) in HTTP API

[sdatspun2]

What does the WG think about needing a distinct header to indicate existence of Personal Identifiable Information (PII) in request (and response) of HTTP API? Such a header would be useful in order to route requests to tokenize (or detokenize) such payload to special purpose proxies from intermediaries like API gateway. Without it, every request (or response) would need to be parsed and inspected for PII in order to tokenization /detokenize.

Thoughts?

[darrelmiller]

I think this could be helpful as long as the header is an assertion that the message is free of PII. We can't rely on the absence of the header to indicate anything. I also wonder whether it would be worth being able to add a qualifier if there is sensitive content. At Microsoft we distinguish between "End User Identifiable Information" and "Organization Identifiable Information".