Skip to main content
L
Loopaloo
Buy Us a Coffee
All ToolsImage ProcessingAudio ProcessingVideo ProcessingDocument & TextPDF ToolsCSV & Data AnalysisConverters & EncodersWeb ToolsMath & ScienceGames
Guides & BlogAboutContact
Buy Us a Coffee
L
Loopaloo

Free online tools for developers, designers, and content creators. All processing happens entirely in your browser - your files never leave your device. No uploads, no accounts, complete privacy.

support@loopaloo.com

Tool Categories

  • Image Tools
  • Audio Tools
  • Video Tools
  • Document & Text
  • PDF Tools
  • CSV & Data
  • Converters
  • Web Tools
  • Math & Science
  • Games

Company

  • About Us
  • Contact
  • Blog
  • FAQ

Legal

  • Privacy Policy
  • Terms of Service
  • Disclaimer

Support

Buy Us a Coffee

© 2026 Loopaloo. All rights reserved. Built with privacy in mind.

Privacy|Terms|Disclaimer
  1. Home
  2. Web Tools
  3. URL Safety Analyzer
Add to favorites

URL Safety Analyzer

Analyze any URL for phishing, suspicious patterns, and security risks. Detects login keywords, suspicious TLDs, encoded characters, brand impersonation, and more

Before you click a suspicious link, paste it here. This analyzer inspects the URL structure for common phishing patterns, homoglyph and punycode attacks, suspicious subdomains, and known-bad TLDs. It won't visit the URL, it analyzes the string itself.

Runs locally in your browserMore web toolsJump to full guide

Initializing in your browser…

You might also like

Password Strength Checker

Analyze password security with 10 criteria checks, entropy calculation, crack time estimation, character breakdown, warnings, and improvement suggestions

SSL Certificate Checker

Check if a website has valid SSL/TLS certificate. Verify HTTPS connection and get tools for detailed certificate analysis

Zettelkasten Notes

Build a personal knowledge base with [[bidirectional links]], tags, backlinks, search, note metadata, and import/export. Implements Zettelkasten method

URL Safety Analyzer: a worked example

A "your account is locked" email links to the URL below and you want a sober breakdown before anyone in the team clicks it.

URL pasted

http://paypa1-secure-login.account-verify.ru/login?next=update
URL Safety Analyzer produces

Risk findings

⚠ Lookalike brand: "paypa1" substitutes 1 for l (typosquat)
⚠ Not HTTPS: credentials would be sent in clear text
⚠ Real domain is account-verify.ru, not paypal, brand is only a subdomain
⚠ Credential keywords: "secure-login", "verify"
Verdict: High risk, classic phishing structure

The analyzer inspects the URL lexically, it never visits the link. It separates the true registrable domain (`account-verify.ru`) from the deceptive subdomain, flags homoglyph/typosquat tricks like "paypa1", and notes the missing TLS. This is structural phishing detection, so treat it as a strong warning, not a substitute for a live threat-intel blocklist.

About the URL Safety Analyzer

Before you click a suspicious link, paste it here. This analyzer inspects the URL structure for common phishing patterns, homoglyph and punycode attacks, suspicious subdomains, and known-bad TLDs. It won't visit the URL, it analyzes the string itself.

Key features

  • Phishing pattern detection
  • Homoglyph and punycode (IDN) detection
  • Suspicious and high-risk TLD flagging
  • Risk score (0-100) with per-issue explanations
  • String-only analysis, the target URL is never fetched

How to use

  1. 1Paste a suspicious URL into the input.
  2. 2Review the risk assessment and specific warnings.
  3. 3Decide whether the link is safe to visit.

How it works

The URL Safety Analyzer parses a pasted link entirely in your browser with the native URL() constructor (prepending https:// first if no http/https/javascript/data scheme is present) and runs a weighted rule engine that produces a risk score from 0 to 100. Each signal adds points: a homograph or Punycode hostname adds 40, encoded-character obfuscation adds 20, more than two subdomains adds 15, a known URL shortener adds 15, a suspicious top-level domain adds 15, plain HTTP instead of HTTPS adds 10, a URL longer than 200 characters adds 10, and each matched suspicious pattern adds its severity times 10. The total is capped at 100 and mapped to a verdict of 'Safe' (score 0), 'Caution' (1-49), or 'High Risk' (50 or above), with each warning color-coded by severity (yellow for 1, orange for 2, red 'Critical' for 3).

Its strongest signal is homograph and IDN-spoofing detection, which it performs two ways. It scans the raw text you typed against a built-in map of 18 Cyrillic lookalikes (the lowercase а, е, о, р, с, х, у and the uppercase А, В, Е, К, М, Н, О, Р, С, Т, Х) that mimic Latin letters, and it separately checks whether the browser-normalized hostname contains the 'xn--' Punycode prefix - so a domain like аpple.com written with a Cyrillic 'а' is flagged even after it is converted, and the warning prints the actual Punycode hostname so you can compare it to the brand you expected. The regex pattern bank also flags login/secure/verify/confirm keywords (severity 2), executable and archive endings such as .exe/.zip/.scr and double extensions like .pdf.exe (severity 3), raw IPv4 addresses used as hosts, javascript: and data: schemes, scam and urgency words (free, winner, prize, urgent), cryptocurrency terms (wallet, bitcoin, airdrop), .ru/.cn/.ir/.kp country TLDs, and 16 major brand names (paypal, amazon, microsoft, netflix, steam, roblox and others) that prompt you to verify domain authenticity. It also recognizes 26 shortener domains by name, including bit.ly, tinyurl.com, t.co, amzn.to and youtu.be, and breaks the URL into protocol, hostname, path, and decoded query parameters in a side panel.

Because the entire analysis is static string inspection done client-side, it never fetches the URL, follows a shortener's redirect, or queries any reputation service such as Google Safe Browsing - so a 'Safe' result means no structural red flags were found, not that the destination is trustworthy, and a bit.ly link is always flagged precisely because its final target cannot be resolved without visiting it. The tool keeps the last 10 analyses in memory for the session (showing the five most recent in a sidebar) and only offers an 'Open in New Tab' link when the verdict is 'Safe', using rel=noopener noreferrer. This makes it a lightweight pre-click triage step for inbound links rather than a definitive verdict; pair it with the visible Punycode hostname as your manual homoglyph check.

Practical scenarios

  • Email link vetting

    Check links from emails before clicking, especially those claiming to be from banks, shipping companies, or IT departments.

  • Slack and chat link checking

    Verify shortened or unfamiliar URLs shared in team chat channels.

  • Security awareness training

    Demonstrate how phishing URLs mimic legitimate domains using character substitution and subdomain tricks.

Frequently asked questions

Does this tool visit the URL?

No. It only analyzes the URL string. No HTTP requests are made to the target.

Can it catch every phishing attempt?

No tool can guarantee 100% detection. This catches structural patterns, but always exercise judgment with unfamiliar links.

Related tools and how they differ

  • SRI Hash Generator: Produces integrity hashes so browsers reject a tampered CDN script or stylesheet; use it to harden your own page, not to judge a link's trustworthiness.
  • CSP Builder: Assembles a Content-Security-Policy that whitelists where your page may load resources; use it to defend your site from XSS, not to check an incoming link.

Private by design

This runs as client-side JavaScript. Keys, tokens, payloads, and other inputs never leave your device.