Trust & safety

We shorten links. We do not hide scams.

Short links carry trust. A clean short URL should not be a free disguise for a scam. Before any its.gd link is activated, we run the destination through 60 checks — 55 structural and heuristic checks in your browser, then 5 live network and threat-intel lookups on our server. Every check, on every plan, for every visitor.

Here is every single one, in plain language.

55 local checks

Structure & heuristics — in your browser

These run instantly in your browser as you paste a URL. No network required, no data leaves the page.

#01
nonempty

Destination is not empty

The destination field must contain a full URL like https://example.com — blank submissions are rejected.

#02
length

URL length within sane limit

Extremely long URLs are a common trick to hide the real destination behind pages of characters.

#03
whitespace

No embedded whitespace

Real links never contain spaces or tabs inside them. Whitespace usually means the URL was pasted broken or was crafted to bypass filters.

#04
control

No control characters

Invisible control characters can disguise the true destination from the human eye while browsers still follow them.

#05
parse

Parses as a valid URL

The URL must be parseable by the same WHATWG URL rules browsers use — malformed input is refused.

#06
scheme

Protocol is http or https

Only http:// and https:// links are shortened. Schemes like ftp:, file:, javascript: or data: are blocked at the door.

#07
https

Prefers HTTPS

Plain http:// destinations trigger a warning — visitors' browsers may mark them as not secure.

#08
userinfo

No embedded credentials

URLs like https://paypal.com@attacker.tld put credentials before the real host to make a phishing link look legitimate.

#09
host

Hostname present

The URL must have a hostname — there has to be an actual domain to send visitors to.

#10
host_dot

Hostname is fully qualified

Bare names like "server" (with no .com/.org/…) are internal-only and never valid public destinations.

#11
private

Not a private or local address

localhost, 127.0.0.1, 10.x.x.x, 192.168.x.x and other RFC1918 ranges are internal networks and cannot be public destinations.

#12
ip_literal

Rejects raw IP addresses

Legitimate public sites use domain names, not bare IPs. Raw IPs are a strong indicator of throwaway or malicious infrastructure.

#13
at_symbol

No @ in the authority

An @ sign in the wrong position hides the real host from casual readers — a classic phishing disguise.

#14
subdomain_depth

Reasonable subdomain depth

Chains like paypal.com.login.verify.attacker.tld try to look like a trusted brand while actually pointing somewhere else.

#15
label_length

DNS label lengths valid

Each label of the hostname must respect the 63-character DNS limit. Oversized labels are malformed.

#16
label_hyphens

No malformed hyphens

Leading, trailing, or consecutive hyphens in a hostname are invalid under DNS rules and often indicate look-alike domains.

#17
punycode

Homograph / punycode scan

Punycode (xn--…) hostnames can render as familiar brands using Cyrillic or Greek look-alikes. We surface every punycode host.

#18
ascii_host

Hostname script check

Non-ASCII hostnames can be legitimate international domains — or a homograph attack. We flag them for review.

#19
tld_present

Top-level domain present

Every real hostname ends in a TLD like .com or .org. Missing TLD = malformed URL.

#20
tld_risky

TLD reputation lookup

Some TLDs (.tk, .top, .cf, .ml, …) are dominated by abuse in public threat-intel data. We warn on those.

#21
tld_confusable

TLD not filename-confusable

TLDs like .zip and .mov look like file extensions, tricking users into believing a link is a file download.

#22
sld_length

Registrable domain length

The registrable domain (the part you'd buy) being extremely short or long is a signal of disposable infrastructure.

#23
digit_ratio

Digit ratio in domain

Domains that are mostly digits are typical of algorithmically generated throwaway hostnames used by malware.

#24
hyphen_count

Hyphen count in domain

Domains with many hyphens (e.g. secure-login-paypal-verify.com) are a phishing look-alike hallmark.

#25
entropy

Random-domain entropy check

High character entropy (looks like keyboard mashing) is typical of disposable malware C2 domains.

#26
shortener_chain

Shortener-chain guard

We refuse to shorten another shortener. Chained shorteners hide the true destination and defeat safety scanning.

#27
brand_subdomain

Brand impersonation (subdomain)

Patterns like paypal.attacker.com use a trusted brand as a subdomain of an attacker-owned host.

#28
brand_path

Brand impersonation (path)

Patterns like attacker.com/paypal-login put a brand name in the path to bait clicks.

#29
block_words

Hostile keyword scan

Keywords repeatedly linked to malware distribution or scams anywhere in the URL trigger a warning.

#30
scam_host

Scam keywords in host

Hostnames like free-gift-verify-now.tld are almost always scams. We flag the pattern.

#31
scam_path

Scam keywords in path

Scam wording in the URL path ("claim-reward", "account-suspended") is a lower-confidence signal but worth surfacing.

#32
dangerous_ext

Dangerous file extension

Direct links to .exe, .scr, .bat, .apk, .msi, .hta and similar executables are blocked outright.

#33
double_ext

Double-extension trickery

Filenames like invoice.pdf.exe are the classic malware disguise — the real extension is the last one.

#34
host_encoded

Hostname not percent-encoded

Encoding characters in the hostname (%65%78 …) is nearly always an attempt to hide the true destination from readers.

#35
path_length

Path length is reasonable

Unusually long paths can bury the real target parameter deep enough that visitors never notice it.

#36
open_redirect

Open-redirect parameter

Query parameters like ?url=…, ?next=…, ?redirect=… pointing at another host are laundered through the trusted domain to bypass filters.

#37
data_uri

Not a data: URI

data: URIs can embed arbitrary HTML or scripts directly in the link — never a safe destination for a shortener.

#38
js_uri

Not a javascript: URI

javascript: URIs run attacker-supplied code in the visitor's browser. Always blocked.

#39
fragment_js

No script in URL fragment

The part after # can be interpreted by some single-page apps — we reject script-like fragments.

#40
port

Standard web port

Legitimate public sites almost always serve on ports 80 or 443. Non-standard ports are a strong outlier signal.

#41
host_abuse_terms

Host has no threat terms

Hostname contains words repeatedly associated with phishing infrastructure in public threat feeds.

#42
double_dot

No consecutive dots in host

Consecutive dots (example..com) are invalid under DNS rules and often used to slip past naive parsers.

#43
edge_dot

No leading/trailing dot

A hostname starting or ending with a dot is malformed and often crafted to confuse filters.

#44
query_bloat

Query string size reasonable

Massive query strings are sometimes used to smuggle encoded payloads through the URL.

#45
blob_query

No opaque blob in query

Long base64/hex blobs in the query string can hide the real destination or exfiltration payload from casual inspection.

#46
self_ref

Not an its.gd → its.gd loop

Destinations pointing back to its.gd would create a redirect loop and are refused.

#47
tld_alpha

TLD is alphabetical

TLDs must be alphabetical — numeric or mixed TLDs are invalid.

#48
brand_plus_security

Brand + security-word pattern

Combinations like paypal-login-verify.tld or apple-secure-signin.tld are the phishing playbook. We warn every time.

#49
hash_length

Fragment length reasonable

Very long URL fragments are unusual and sometimes carry encoded payloads.

#50
homoglyph_brand

Digit-for-letter brand spoof

Look-alikes like g00gle.com, paypa1.com, micros0ft.com swap digits for letters to spoof known brands.

#51
mixed_script

No mixed Latin / Cyrillic

Mixing Latin and Cyrillic characters (аpple.com with a Cyrillic а) is a classic homograph attack.

#52
emoji_host

No emoji in hostname

Emoji hostnames are almost always novelty or spoof domains, not legitimate businesses.

#53
self_host

Not our own domain

Refuses destinations that are its.gd itself, preventing loops and abuse of our own domain reputation.

#54
reserved_tld

TLD not reserved

.test, .example, .invalid, .localhost are reserved for testing per RFC 2606 and never valid public destinations.

#55
reported_abuse

Prior abuse-report lookup

Cross-checks the destination against links previously reported as abusive by its.gd users.

5 network checks

Live network & threat intelligence

These run on our server and hit external services (Cloudflare DNS, Google Safe Browsing, URLhaus) to verify the destination is real, reachable, and not on any known blocklist.

#01
dns

DNS resolution (Cloudflare 1.1.1.1)

Live DNS-over-HTTPS lookup against Cloudflare 1.1.1.1. NXDOMAIN or unresolvable hosts are rejected — you can't shorten a link to a domain that doesn't exist.

#02
reachable

Following redirects · fetching destination

We actually fetch the destination server-side (up to 5 redirect hops) to confirm it responds. Dead hosts and permanent errors are rejected.

#03
redirect_chain

Verifying final landing host

Reports the final host after all redirects. If the destination silently lands somewhere different from what you pasted, you see it before publishing.

#04
safe_browsing

Google Safe Browsing lookup

Live lookup against Google Safe Browsing v4 for malware, social engineering (phishing), and unwanted-software listings.

#05
urlhaus

URLhaus malware database

Live lookup against URLhaus (abuse.ch), the community malware-URL database of active distribution hosts.

Suspicious links show warnings

If a destination looks risky, we don't silently redirect. Visitors see a warning splash that names the destination domain and the last scan result.

Unsafe links are blocked

Destinations that fail a critical structural check (raw IP, javascript:, dangerous file extension, brand-impersonation pattern, etc.) or that our team has flagged after a user report are blocked. Visitors see a dedicated blocked page instead of being redirected.

Destinations cannot be changed after activation

Once a link is activated, its destination is locked. This prevents a common bait-and-switch scam: someone creates a short link to a trusted site, shares it widely to build clicks and reputation, then swaps the destination to a scam page. The same short URL would silently mean something new, and visitors would follow based on trust earned by the old destination.

If you need to change a destination, you can delete the link and create a new one with the same slug. The old short URL stops working, so anyone with the previous link gets a dead link instead of an unexpected redirect. The new link starts with no clicks, no reputation, and no inherited trust — exactly what makes the bait-and-switch impossible.

Anyone can report an unsafe link

Append + to any its.gd link (e.g. its.gd/sale+) to preview the destination, see the last scan status, and report abuse.

What we don't claim

We never say a link is “100% safe.” No scanner can guarantee that. We say what we can stand behind: no known threats found, checked before activation, monitored for abuse.
Report a link

Saw something off? Tell us and we'll review.

Open report form