Public digital services: the exposed edgeΒΆ

The outermost layer is the part actually facing the internet, so it carries most of the exposed surface: the CMS and website estate, the e-formulieren and formulierenservers (Seneca, SIMgroep, Exxellence, and the open-source Open Formulieren), the mijn-omgeving portals, and the payment hand-offs.

Take the form at formulieren.ankh-morpork.example, an Open Formulieren instance. A resident logs in through DigiD and the form prefills name, address and date of birth from the BRP. Underneath, the SDK drives the backend:

POST /api/v1/submissions/                     opens a submission; the DigiD bsn rides the session
GET  /api/v1/submissions/{uuid}/steps/{step}  a step, prefilled from the BRP
     /submission/{uuid}/{token}/resume        the resume link, gated by a signed token

The flaw worth finding here is not a missing header. It is whether that token is unguessable and bound to the resident who created the submission. If the identifier and token can be reached or replayed, a saved submission carrying prefilled BRP data becomes reachable across residents, which is broken access control with a personal-data payload. The same question sits on the prefill itself: whether the fields load for the authenticated identity, or for a bsn the request supplies. Logic, not configuration, and the impact is personal-data-shaped.