No HTTP security header exceeds 42% adoption. Fewer than 1% of the CSP policies actually present on Italian sites are configured restrictively. security.txt, the file that lets researchers report a vulnerability responsibly, exists on just 2.4% of domains.

These are some of the first results from IWSS - Italian Web Security Study, the research F-Hack has been running since July 2026 to measure, with scientific method and citable data, the security configuration of the Italian web at scale.

What was measured

10,022 .it domains, the entire pool available from the Tranco top-1M list (list date: 2026-07-08), analyzed with a purely passive methodology: no exploitation, no brute force, no active scanning. Only the same HTTP, TLS and DNS requests any browser would send when loading a public homepage.

The sample is random, not a list of well-known sites: a direct check against a disposable set of 105 "famous" domains (91 reachable, the same sampled-vs-reachable pattern seen throughout the study) confirmed that well-known sites have a systematically stronger security configuration (HSTS at 52.7% vs. 31.5% for the random control sample, CSP at 31.9% vs. 17.6%). Using a random sample instead of a hand-picked list is therefore the methodologically correct choice for a figure meant to be representative, not optimistic.

Of 10,020 completed scans, 88.1% of domains (8,829, 95% CI [87.5%-88.7%]) respond to a standard HTTP request.

Security headers remain the exception

Across the 8,829 reachable sites, no HTTP security header exceeds 42% adoption:

Header Adoption 95% Confidence Interval
X-Frame-Options 41.8% [40.8%, 42.9%]
X-Content-Type-Options 37.6% [36.6%, 38.6%]
HSTS 32.8% [31.8%, 33.8%]
Referrer-Policy 29.0% [28.0%, 30.0%]
Content-Security-Policy 18.7% [17.9%, 19.5%]
Permissions-Policy 11.2% [10.6%, 11.9%]

In other words: the majority of Italian sites in the sample declare none of the baseline HTTP protections.

The CSPs that exist often don't really protect

Of the 1,646 CSP policies parsed at directive level, only 0.7% (11 out of 1,646, 95% CI [0.4%-1.2%]) meet an explicit, verifiable restrictiveness criterion: presence of default-src or script-src, no unsafe-inline, no unsafe-eval, no wildcard source.

45.4% of policies use unsafe-inline, a directive that undoes most of the protection CSP is meant to provide against cross-site scripting. 11.1% use a wildcard source.

This figure should not be read as "only 1% of sites have a secure CSP": it is attributed to a precise, falsifiable definition, not a general judgment about the security of the sites involved.

Cookies and sessions

Across 7,240 observed cookies:

  • SameSite is missing in 51.8% of cases
  • HttpOnly is missing in 51.8% of cases
  • Secure is missing in 47.5% of cases

No cookie-type classification exists yet (session/authentication vs. analytics/tracking): a session cookie missing Secure and a _ga tracking cookie missing Secure are not the same problem, so these figures describe attributes observed across cookies as a whole, not specifically an authentication risk.

The good news: TLS

Not everything is negative. Across 8,864 completed TLS handshakes, zero weak ciphers detected (RC4/DES/MD5/EXPORT), and 87.3% of sites already negotiate TLS 1.3 as the de facto standard, against 12.7% still on TLS 1.2.

Email spoofing: one domain in two remains exposed

Across an extended subset of 9,520 scans:

Mechanism Adoption
SPF 55.5% [54.5%, 56.5%]
DMARC 43.8% [42.9%, 44.8%]
DKIM 36.6% [35.6%, 37.6%]
security.txt (RFC 9116) 2.4% [2.1%, 2.7%]

SPF, DMARC and DKIM concern a domain's resistance to email spoofing, a posture distinct from the website's own security, but just as relevant to anyone assessing an organization's overall risk.

What runs behind .it sites

Cloudflare leads the detected technology ranking (3,053 sites), followed by WordPress (2,487), Nginx (1,777) and Apache (1,509). This data is collected as a context variable, useful for explaining differences in configuration across technologies, not as a security indicator in itself.

Methodology and transparency

Every request is a standard, unauthenticated HTTP GET, with an identifiable User-Agent and a contact address. No payloads, no fuzzing, no vulnerability probing: active-scan code was never integrated into this pipeline, a structural choice rather than a configuration flag. No HTTP response body is stored, only a SHA-256 hash and metadata.

Domains published in the dataset are pseudonymized, not anonymized in the strict sense: each domain is replaced by an unsalted SHA-256 hash. Because .it domain names are public information, this is not a severe exposure, but the hash is invertible via a dictionary attack against known .it domains, and this is stated explicitly in both the dataset and the paper.

Public dataset and code

The entire measurement pipeline (crawler, analyzers, statistical module) and a pseudonymized export of the dataset are published on GitHub, under MIT license for the code and CC-BY 4.0 for the dataset, so that anyone can independently reproduce every figure reported in this article.

Repository: github.com/giovannimanetti11/italian-web-security-study
Full interactive infographic (IT/EN): f-hack.com/analisi-sicurezza-web-italiano-2026
Paper (v1.0, PDF): 10.5281/zenodo.21322437

Next steps

These are preliminary results, not yet peer-reviewed. The next step is to extend the sample beyond the 10,022 domains currently available from Tranco, and to set up a longitudinal study to measure how the security configuration of the Italian web changes over time, using a versioned data schema designed for exactly this purpose from the start.

Anyone using this dataset or this methodology in their own work is invited to cite both the repository and the accompanying paper (DOI: 10.5281/zenodo.21322437). The dataset's own DOI will be available soon.