Skip to content

Article cases bsn #107

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
johannesbattjes merged 3 commits into from
Mar 26, 2026
Merged

Article cases bsn #107

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c0d6d7f
bsn
johannesbattjes Mar 26, 2026
e382e10
a
johannesbattjes Mar 26, 2026
7230f0a
Merge branch 'main' into Article-cases-BSN
johannesbattjes Mar 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 45 additions & 0 deletions docs/cases/use-of-bsn.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
---
id: use-of-bsn
title: Retrieving cases for a particular BSN
---

Retrieving cases using a BSN (Dutch Social Security Number) can be done in two ways. While our case registration software supports both methods, many client applications are using the older, insecure method. This article explains the problem and the recommended solution.

### The Problem: Leaking BSNs via GET Requests

The current, widely-used method for fetching cases by BSN is a `GET` request where the BSN is passed as a URL parameter:

```h
ttps://zaken.preprod-rx-services.nl/api/v1/zaken?rol__betrokkeneIdentificatie__natuurlijkPersoon__inpBsn=123443210
```

**This is a security and privacy risk.**

The BSN is sensitive, personal data. Placing it in a URL has serious consequences:

- **Extensive Logging**: Web servers, proxies, load balancers, and other network infrastructure log URLs by default. This means the BSN is stored in numerous log files across different systems.
- **Increased Exposure**: These logs are often retained for long periods and accessed for monitoring, debugging, or analytics, exposing the BSN to a wider audience than necessary.
- **Privacy Violation**: Unnecessarily logging sensitive data violates fundamental privacy principles (like GDPR/AVG) and creates a data leak that is difficult to contain or audit.

### The Solution: Use POST `/_zoek`

A safer and more robust alternative is to use the `POST /_zoek` endpoint from the VNG Zaken API. This method allows you to send the search parameters in the request body instead of the URL.

Since request bodies are generally not logged by servers and proxies, the BSN remains secure and is not exposed in log files.

Here is an example of how to use the `/_zoek` endpoint. Many other attributes are also possible.

**Request:**

```json
POST /api/v1/zaken/_zoek
Host: zaken.preprod-rx-services.nl
Content-Type: application/json

{
"rol__betrokkeneIdentificatie__natuurlijkPersoon__inpBsn": "123443210",
"expand": "rollen"
}
```

We strongly urge developers of client applications to update their implementation to use the `POST /_zoek` method to ensure the privacy and security of citizen data.
11 changes: 11 additions & 0 deletions sidebars.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,17 @@ const sidebars: SidebarsConfig = {
label: "Document Upload Guide"
}
]
},
{
type: "category",
label: "Cases",
items: [
{
type: "doc",
id: "cases/use-of-bsn",
label: "Use of BSN"
}
]
}
]
};
Expand Down
Loading