All Docs
FeaturesMaking Tax DigitalUpdated February 26, 2026

Blog: HMRC Fraud Prevention Header Validation — A Compliance Gap We're Closing

HMRC Fraud Prevention Header Validation — A Compliance Gap We're Closing

Version: 1.0.86
Severity: High
Category: Core Functionality

What Are Fraud Prevention Headers?

Every API call made to HMRC under the Making Tax Digital (MTD) programme must include a set of fraud prevention headers. These headers carry technical information about the originating device and software — things like IP addresses, user agent strings, and timestamps — that HMRC uses to detect and prevent fraudulent submissions.

HMRC's requirements are detailed and precise. Headers that are missing, malformed, or carry unexpected values can cause submissions to be rejected outright. For landlords relying on this platform to meet their quarterly MTD obligations, a rejected submission is not a minor inconvenience — it is a compliance failure.

The Gap We've Found

During an internal audit of our HMRC-FRAUD-PREVENTION-COMPLIANCE.md document, we identified that one critical item had never been completed:

"HMRC header validator tested: Planned"

HMRC provides an official tool specifically for this purpose: the txm-fph-validator-api. This sandbox endpoint accepts a request with the fraud prevention headers you intend to send and tells you whether they are valid, complete, and correctly structured.

We have never run an automated test against this validator. That means we cannot currently confirm — with evidence — that our headers satisfy HMRC's requirements.

Why This Matters

The fraud prevention header specification is not static. HMRC updates it, and non-compliant headers can result in:

  • Rejected quarterly submissions, putting landlords in breach of their MTD obligations.
  • Delayed corrections, since header failures may not be obvious from standard API error responses alone.
  • Audit exposure, as we cannot demonstrate to HMRC that we have actively validated compliance.

This is classified as a high severity issue because the failure mode is invisible until a submission is rejected.

What We're Doing About It

We are implementing the following remediation steps:

  1. Automated validator test — A test will be written that sends a representative MTD API request, including all fraud prevention headers currently emitted by the platform, to HMRC's txm-fph-validator-api sandbox endpoint.

  2. CI integration — This test will be added to the continuous integration pipeline so that every code change is checked against the validator automatically. Any future regression in header compliance will fail the build before it can reach production.

  3. Documentation update — Once validated, HMRC-FRAUD-PREVENTION-COMPLIANCE.md will be updated from Planned to Verified, with a record of the test and its result.

What This Means for Landlords

You don't need to take any action right now. Your existing submissions are processed via the same code that has been in production, and there is no evidence of active rejection. However, we are treating this gap with the seriousness it deserves and will not mark it resolved until automated, repeatable proof of compliance exists.

We will update this page and the changelog once the validator test is live in CI.

References