Passive security measurement of 10,020 .it domains: CSP, cookies, TLS and email authentication
This report summarizes a passive security measurement study of 10,020 .it domains focusing on HTTP security headers, Content Security Policy (CSP), cookies, TLS, and email authentication. The study found low adoption rates of key security headers and cookie attributes, widespread use of unsafe CSP directives, and partial deployment of email authentication standards. No active probing or exploitation was performed. The study highlights security configuration weaknesses but does not identify a specific vulnerability or exploit.
AI Analysis
Technical Summary
A passive security measurement was conducted on 10,020 .it domains using standard HTTP requests, TLS handshakes, and DNS lookups without active scanning or exploitation. Key findings include that only 41.8% of domains use X-Frame-Options, 32.8% use HSTS, 18.7% implement CSP with only 0.7% meeting restrictiveness criteria, and 45.4% include unsafe-inline in CSP. Cookie security attributes SameSite and HttpOnly are missing in approximately 52% of cookies, and Secure is missing in about 48%. TLS configurations are strong with no weak cipher suites and 87.3% supporting TLS 1.3. Email authentication adoption is moderate with SPF at 55.5%, DMARC at 43.8%, and DKIM at 36.6%. The study also notes that only 2.4% of domains publish a security.txt file. The data is representative of the .it ccTLD and is publicly available for further analysis.
Potential Impact
The study reveals that many .it domains have suboptimal security configurations, such as missing or weak HTTP security headers, insecure cookie attributes, and incomplete email authentication deployment. These weaknesses can increase the risk of web-based attacks like clickjacking, cross-site scripting, session hijacking, and email spoofing. However, the study itself does not report any active exploitation or vulnerabilities, only the presence or absence of security controls.
Mitigation Recommendations
This is a passive measurement study and not a vulnerability report; no direct patch or fix is applicable. Organizations managing .it domains should consider improving their security posture by adopting recommended HTTP security headers (e.g., X-Frame-Options, HSTS, CSP with restrictive policies), setting secure cookie attributes (SameSite, HttpOnly, Secure), upgrading to TLS 1.3, and fully implementing email authentication standards (SPF, DMARC, DKIM). The study's dataset and methodology are publicly available for reference. No immediate action is required based on this report alone.
Passive security measurement of 10,020 .it domains: CSP, cookies, TLS and email authentication
Description
This report summarizes a passive security measurement study of 10,020 .it domains focusing on HTTP security headers, Content Security Policy (CSP), cookies, TLS, and email authentication. The study found low adoption rates of key security headers and cookie attributes, widespread use of unsafe CSP directives, and partial deployment of email authentication standards. No active probing or exploitation was performed. The study highlights security configuration weaknesses but does not identify a specific vulnerability or exploit.
Reddit Discussion
I recently finished a passive security measurement study of .it domains and wanted to share some of the results here for feedback.
The dataset includes 10,020 successfully scanned .it domains, covering essentially the entire .it slice of the Tranco Top 1M list (snapshot: 2026-07-08).
The study is strictly passive. It only performs standard HTTP requests, TLS handshakes and DNS lookups. No exploitation, brute forcing, vulnerability scanning or any other active probing.
Some headline results:
HTTP security headers
- X-Frame-Options: 41.8%
- HSTS: 32.8%
- CSP: 18.7%
- Permissions-Policy: 11.2%
Content Security Policy
- 1,646 CSPs parsed at directive level
- only 0.7% met a documented restrictiveness criterion
- 45.4% still included unsafe-inline
Cookies (7,240 observed)
- ~52% missing SameSite
- ~52% missing HttpOnly
- ~48% missing Secure
TLS
- No weak cipher suites observed
- 87.3% of domains already support TLS 1.3
Email authentication
- SPF: 55.5%
- DMARC: 43.8%
- DKIM: 36.6%
The DKIM figure should be interpreted as a lower bound because the methodology uses a fixed selector list rather than active selector enumeration.
security.txt
-present on 2.4% of domains
To check for sampling bias, I also ran the same pipeline against a manually selected set of 105 well-known Italian sites. As expected, they showed a noticeably stronger security configuration than the random Tranco sample, which supports using the latter as a representative cross-section of Tranco-indexed .it domains.
The paper reports Wilson 95% confidence intervals throughout, and the analysis pipeline and a pseudonymized dataset are publicly available.
Working paper (not peer reviewed):
https://doi.org/10.5281/zenodo.21322437
Dataset:
https://doi.org/10.5281/zenodo.21323346
I'd appreciate feedback on two points in particular:
- is there a better passive approach for estimating DKIM deployment without active selector enumeration?
- for people who have released large-scale measurement datasets, how do you balance reproducibility with limiting the disclosure of contextual metadata (for example, sector classifications)?
If anyone knows of comparable passive measurement studies for other ccTLDs, I'd also be interested in reading them.
Links cited in this discussion
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
A passive security measurement was conducted on 10,020 .it domains using standard HTTP requests, TLS handshakes, and DNS lookups without active scanning or exploitation. Key findings include that only 41.8% of domains use X-Frame-Options, 32.8% use HSTS, 18.7% implement CSP with only 0.7% meeting restrictiveness criteria, and 45.4% include unsafe-inline in CSP. Cookie security attributes SameSite and HttpOnly are missing in approximately 52% of cookies, and Secure is missing in about 48%. TLS configurations are strong with no weak cipher suites and 87.3% supporting TLS 1.3. Email authentication adoption is moderate with SPF at 55.5%, DMARC at 43.8%, and DKIM at 36.6%. The study also notes that only 2.4% of domains publish a security.txt file. The data is representative of the .it ccTLD and is publicly available for further analysis.
Potential Impact
The study reveals that many .it domains have suboptimal security configurations, such as missing or weak HTTP security headers, insecure cookie attributes, and incomplete email authentication deployment. These weaknesses can increase the risk of web-based attacks like clickjacking, cross-site scripting, session hijacking, and email spoofing. However, the study itself does not report any active exploitation or vulnerabilities, only the presence or absence of security controls.
Mitigation Recommendations
This is a passive measurement study and not a vulnerability report; no direct patch or fix is applicable. Organizations managing .it domains should consider improving their security posture by adopting recommended HTTP security headers (e.g., X-Frame-Options, HSTS, CSP with restrictive policies), setting secure cookie attributes (SameSite, HttpOnly, Secure), upgrading to TLS 1.3, and fully implementing email authentication standards (SPF, DMARC, DKIM). The study's dataset and methodology are publicly available for reference. No immediate action is required based on this report alone.
Technical Details
- Source Type
- Subreddit
- cybersecurity
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":27,"reasons":["external_link","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":[],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a53ac8168715ace436b4d0f
Added to database: 07/12/2026, 15:02:25 UTC
Last enriched: 07/12/2026, 15:02:36 UTC
Last updated: 07/12/2026, 17:17:19 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.