Redirect Inspector
Paste a short or suspicious URL and see the server-visible redirect path before you decide whether to open it.
Status: Live · Processing: server-assisted. The submitted URL is sent to the CyganLabs WordPress server so it can request headers, follow redirects, and block private/internal network targets before each hop.
This is for the normal “where does this thing actually go?” moment. It is not a malware scanner, browser sandbox, screenshot service, or magic phishing detector. It follows boring HTTP redirects and shows the path plainly, which is more useful than pretending a short link is trustworthy because it looks tidy.
Privacy/data behavior: this one is intentionally server-assisted. Your submitted URL is sent to CyganLabs so the server can request headers and follow redirects. The endpoint does not render pages, execute JavaScript, take screenshots, send cookies, or intentionally store submitted URLs. Do not paste private, signed, authenticated, tokenized, or secret-bearing links.
Safety boundary: the endpoint blocks localhost, private LAN, reserved, link-local, multicast, metadata-service-style targets, embedded credentials, non-HTTP protocols, and non-standard ports before each hop. This is SSRF hygiene, not a guarantee that the public destination is safe.
Inspect a link
Paste one public HTTP/HTTPS URL. Bare domains get an https:// fallback. Relative paths and links with embedded usernames or passwords are rejected.
Nothing inspected yet.
Shortcut: press Ctrl/⌘ + Enter in the URL field to inspect.
Result
Paste a URL and inspect it to see the redirect chain.
No check has run yet.
Redirect hops will appear here.
When to use it
- You received a short link and want to see the redirect path before opening it.
- You are checking whether a link changes domains, downgrades from HTTPS to HTTP, or drags a mile-long tracking query behind it.
- You want a plain report you can copy into a ticket, email, or security-awareness note.
What this checks
- HTTP status codes for each server-visible redirect hop.
- The final URL after normal HTTP redirects, up to a strict hop limit.
- Domain changes, HTTPS-to-HTTP downgrades, punycode-looking domains, known short-link domains, tracking-style parameters, and crowded query strings.
- SSRF-sensitive destinations before every request: private IPs, loopback, reserved ranges, link-local addresses, and non-standard ports are blocked.
What this does not do
- It does not scan for malware, phishing kits, exploits, or reputation data.
- It does not execute JavaScript, inspect client-side redirects, log into anything, bypass paywalls, or render screenshots.
- It cannot prove a destination is safe. It can only show the redirect path the server can see.
- Some sites block automated HEAD/GET checks, hide behavior behind JavaScript, or show different results by geography, device, cookie, or login state.
Related tools
After you inspect the destination, use Link Cleaner to remove common tracking parameters from the final URL. For file-name cleanup before sharing, use Filename Cleaner. For image metadata cleanup, use Image Privacy Cleaner.
FAQ
Is this a malware scanner?
No. It is a redirect inspector. Treat the final URL as information, not permission.
Are submitted links logged?
The tool endpoint does not intentionally store submitted URLs. It uses POST instead of putting the URL in the request path, and it rate-limits by visitor IP. Normal web infrastructure may still have operational logs, so do not paste secrets, signed links, password-reset URLs, or authenticated links.
Why does it block private IPs and odd ports?
Because server-side URL tools can be abused to poke at internal services if they are built lazily. This one refuses localhost, private networks, reserved ranges, link-local addresses, embedded credentials, non-HTTP protocols, and non-standard ports before each hop. Boring security work: not glamorous, very necessary.