Japan Information Infrastructure Services Co., Ltd. (Headquarters: Amagasaki City, Hyogo Prefecture; Representative Director: Tomohide Sasaki / JIIS Security Lab) has conducted an external security assessment of 307 corporate websites in Hyogo Prefecture using its free web security diagnostic service 'SiteDock,' and published the results as the 'Hyogo Prefecture Web Security Reality Survey 2026.'

The survey found that more than half (55.1%) of the websites lack DMARC, an email spoofing prevention measure, and 92.5% are missing security headers such as CSP (Content Security Policy) that prevent cross-site scripting attacks. These figures were compiled using a non-invasive, passive method based solely on publicly available information, with no intention of criticizing specific companies, but rather to promote overall security improvement across the prefecture.

(Survey period: June 7–9, 2026 / Method: Passive aggregation, anonymous / n=307)

Background of the Survey

The baseline for email authentication has changed significantly over the past two years. In February 2024, Gmail and Yahoo! began requiring senders who transmit a certain volume of emails to configure SPF, DKIM, and DMARC. Microsoft followed in 2025. As a result, emails without authentication are increasingly being treated as spam—or worse, blocked entirely. Similarly, security headers have become standard, expected components for ensuring website safety.

So, what is the actual state of corporate websites in the region? To understand this not by intuition but by data, we conducted this survey.

Survey Results (Key Metrics)

As shown in the graph above, security headers were the most neglected area: over 96% lacked Permissions-Policy and Referrer-Policy, and 92.5% were missing CSP. Even items that can be securely added with a single line of code remain largely unconfigured—indicating not technical difficulty, but a lack of awareness about their existence.

For email authentication, SPF is widely adopted because it is often included in default configurations of rental servers. However, DMARC, which requires manual setup and ongoing management, was unconfigured in 55.1% of cases. The pattern of 'SPF configured but DMARC missing' was frequently observed.

Regarding communication protection, while HTTPS adoption is progressing, 85.7% lack HSTS, which enforces HTTPS usage at all times. This indicates that many sites have 'installed the certificate but left the final step unfinished.'

Executive Comment

Tomohide Sasaki, Representative Director, Japan Information Infrastructure Services Co., Ltd.

'We have operated municipal information security cloud services for 41 cities and towns across Hyogo Prefecture for over 10 years. In that experience, we repeatedly observed that critical vulnerabilities often stem not from severe flaws, but from missing configurations that are not included in default setups and are simply unknown. This survey confirms that pattern: issues that could be fixed quickly with awareness and action are widely overlooked across the region. This survey does not target any specific company; its purpose is to serve as a catalyst for improving the overall security posture of websites in the prefecture. The full report includes detailed guidance on how to implement each measure—starting with understanding your site’s externally visible state.'

Full Report (Free Distribution)

The complete report, including self-audit checklists, configuration references by environment (nginx/Apache/WordPress), and detailed explanations of methods and limitations, is available for free download.

Download the Full Report for Free

Methodology and Limitations of the Survey

This survey was conducted solely through a passive method, collecting publicly available information (DNS records, HTTP response headers, etc.) from external sources. No active testing (port scanning, vulnerability scanning, etc.) was performed on any website. Therefore, the results reflect only the externally visible state and do not determine the actual security level of each site. Items that cannot be reliably assessed from the outside (e.g., DKIM) were excluded. The results reflect the state as of the survey period (June 7–9, 2026). No personally identifiable or organization-specific data is included; only aggregated values are published. Additionally, the sample is limited to businesses registered with gBizINFO in Hyogo Prefecture, making the results regionally and demographically biased and not directly generalizable to the entire country or other industries.

Company Overview

Company Name

Japan Information Infrastructure Services Co., Ltd. (JIIS Security Lab)

Headquarters

1-2-1-204 Shiode, Amagasaki City, Hyogo Prefecture 661-0976

Representative

Representative Director Tomohide Sasaki

Established

June 28, 2019 (Reiwa 1)

Capital

3,000,000 JPY

Business Activities

Operation of municipal information security cloud services, provision of web security diagnostic SaaS 'SiteDock,' and related services

URL

https://sitedock.jp/

FACT BOX

  • Source: PR TIMES
  • Category: Survey
  • Organizations: Gmail / Yahoo! / Microsoft
  • Dates in source: 2024-02