Public digital services: the exposed edgeΒΆ
The outermost layer is the part actually facing the internet, so it carries most of the exposed surface: the CMS and website estate, the e-formulieren and formulierenservers (Seneca, SIMgroep, Exxellence, and the open-source Open Formulieren), the mijn-omgeving portals, and the payment hand-offs.
Take the form at formulieren.ankh-morpork.example, an Open Formulieren instance. A resident logs in through
DigiD and the form prefills name, address and date of birth from the BRP. Underneath, the SDK drives the
backend:
POST /api/v1/submissions/ opens a submission; the DigiD bsn rides the session
GET /api/v1/submissions/{uuid}/steps/{step} a step, prefilled from the BRP
/submission/{uuid}/{token}/resume the resume link, gated by a signed token
The flaw worth finding here is not a missing header. It is whether that token is unguessable and bound to the resident who created the submission. If the identifier and token can be reached or replayed, a saved submission carrying prefilled BRP data becomes reachable across residents, which is broken access control with a personal-data payload. The same question sits on the prefill itself: whether the fields load for the authenticated identity, or for a bsn the request supplies. Logic, not configuration, and the impact is personal-data-shaped.