I scanned 15 Italian citizenship agencies for basic security. 14 scored F.
I ran beacon against 15 Italian citizenship agencies. Law firms, document services, full-service shops. The first 15 results Google returned for "jure sanguinis service" and "Italian dual citizenship agency."
14 scored F. One scored D. None scored above D.
These are the companies people trust with their grandparents' birth certificates.
The email problem
87% have no effective DMARC. That means anyone can send an email that looks like it comes from their domain. An invoice, a document request, a payment reminder. The client's email provider has no policy to block it.
7 had no DMARC record at all. 6 had it set to p=none— monitoring mode. Logs the failure, delivers the email anyway. Only 2 out of 15 would actually reject a spoofed message.
The FBI's IC3 puts it at $55 billion in BEC losses between 2013 and 2023. $2.7 billion in 2024 alone.
No CSP on 87% of sites
13 out of 15 have no Content-Security-Policy. The browser has zero restrictions on which scripts run.
This is what enabled the British Airways breach. A Magecart script was injected into BA's payment page. 380,000 cards skimmed over 15 days. £20 million ICO fine. Root cause: no CSP.
Same weakness. Different industry. Same risk.
Tracking
12 of the 15 load Google Analytics. Before a visitor submits a single form, Google knows they're looking at Italian citizenship services, from which IP, with which browser.
One runs Hotjar. Session recording. Every mouse movement, every click, every keystroke in a form field. A Princeton study found session replay scripts on 482 sites capturing passwords and credit card numbers in recordings accessible to third-party employees.
The rest
0 out of 15 have a security.txt. If a researcher finds a vulnerability, there's no way to report it. 5 disclose their exact server software version in response headers. 4 expose WordPress admin login pages to the public internet.
| Grade | Count |
|---|---|
| F | 14 |
| D | 1 |
A website's security is a proxy. An agency that hasn't configured DMARC probably hasn't configured anything behind the login either.
The tool is open source. beacon checks TLS, headers, email authentication, exposed files, third-party tracking, forms, and cookies. Run it on any domain.
Passive analysis of public information. No exploitation. Agencies anonymised. Scans conducted 23 March 2026.