Destination is not empty
The destination field must contain a full URL like https://example.com — blank submissions are rejected.
Short links carry trust. A clean short URL should not be a free disguise for a scam. Before any its.gd link is activated, we run the destination through 60 checks — 55 structural and heuristic checks in your browser, then 5 live network and threat-intel lookups on our server. Every check, on every plan, for every visitor.
Here is every single one, in plain language.
These run instantly in your browser as you paste a URL. No network required, no data leaves the page.
The destination field must contain a full URL like https://example.com — blank submissions are rejected.
Extremely long URLs are a common trick to hide the real destination behind pages of characters.
Real links never contain spaces or tabs inside them. Whitespace usually means the URL was pasted broken or was crafted to bypass filters.
Invisible control characters can disguise the true destination from the human eye while browsers still follow them.
The URL must be parseable by the same WHATWG URL rules browsers use — malformed input is refused.
Only http:// and https:// links are shortened. Schemes like ftp:, file:, javascript: or data: are blocked at the door.
Plain http:// destinations trigger a warning — visitors' browsers may mark them as not secure.
URLs like https://paypal.com@attacker.tld put credentials before the real host to make a phishing link look legitimate.
The URL must have a hostname — there has to be an actual domain to send visitors to.
Bare names like "server" (with no .com/.org/…) are internal-only and never valid public destinations.
localhost, 127.0.0.1, 10.x.x.x, 192.168.x.x and other RFC1918 ranges are internal networks and cannot be public destinations.
Legitimate public sites use domain names, not bare IPs. Raw IPs are a strong indicator of throwaway or malicious infrastructure.
An @ sign in the wrong position hides the real host from casual readers — a classic phishing disguise.
Chains like paypal.com.login.verify.attacker.tld try to look like a trusted brand while actually pointing somewhere else.
Each label of the hostname must respect the 63-character DNS limit. Oversized labels are malformed.
Leading, trailing, or consecutive hyphens in a hostname are invalid under DNS rules and often indicate look-alike domains.
Punycode (xn--…) hostnames can render as familiar brands using Cyrillic or Greek look-alikes. We surface every punycode host.
Non-ASCII hostnames can be legitimate international domains — or a homograph attack. We flag them for review.
Every real hostname ends in a TLD like .com or .org. Missing TLD = malformed URL.
Some TLDs (.tk, .top, .cf, .ml, …) are dominated by abuse in public threat-intel data. We warn on those.
TLDs like .zip and .mov look like file extensions, tricking users into believing a link is a file download.
The registrable domain (the part you'd buy) being extremely short or long is a signal of disposable infrastructure.
Domains that are mostly digits are typical of algorithmically generated throwaway hostnames used by malware.
Domains with many hyphens (e.g. secure-login-paypal-verify.com) are a phishing look-alike hallmark.
High character entropy (looks like keyboard mashing) is typical of disposable malware C2 domains.
We refuse to shorten another shortener. Chained shorteners hide the true destination and defeat safety scanning.
Patterns like paypal.attacker.com use a trusted brand as a subdomain of an attacker-owned host.
Patterns like attacker.com/paypal-login put a brand name in the path to bait clicks.
Keywords repeatedly linked to malware distribution or scams anywhere in the URL trigger a warning.
Hostnames like free-gift-verify-now.tld are almost always scams. We flag the pattern.
Scam wording in the URL path ("claim-reward", "account-suspended") is a lower-confidence signal but worth surfacing.
Direct links to .exe, .scr, .bat, .apk, .msi, .hta and similar executables are blocked outright.
Filenames like invoice.pdf.exe are the classic malware disguise — the real extension is the last one.
Encoding characters in the hostname (%65%78 …) is nearly always an attempt to hide the true destination from readers.
Unusually long paths can bury the real target parameter deep enough that visitors never notice it.
Query parameters like ?url=…, ?next=…, ?redirect=… pointing at another host are laundered through the trusted domain to bypass filters.
data: URIs can embed arbitrary HTML or scripts directly in the link — never a safe destination for a shortener.
javascript: URIs run attacker-supplied code in the visitor's browser. Always blocked.
The part after # can be interpreted by some single-page apps — we reject script-like fragments.
Legitimate public sites almost always serve on ports 80 or 443. Non-standard ports are a strong outlier signal.
Hostname contains words repeatedly associated with phishing infrastructure in public threat feeds.
Consecutive dots (example..com) are invalid under DNS rules and often used to slip past naive parsers.
A hostname starting or ending with a dot is malformed and often crafted to confuse filters.
Massive query strings are sometimes used to smuggle encoded payloads through the URL.
Long base64/hex blobs in the query string can hide the real destination or exfiltration payload from casual inspection.
Destinations pointing back to its.gd would create a redirect loop and are refused.
TLDs must be alphabetical — numeric or mixed TLDs are invalid.
Combinations like paypal-login-verify.tld or apple-secure-signin.tld are the phishing playbook. We warn every time.
Very long URL fragments are unusual and sometimes carry encoded payloads.
Look-alikes like g00gle.com, paypa1.com, micros0ft.com swap digits for letters to spoof known brands.
Mixing Latin and Cyrillic characters (аpple.com with a Cyrillic а) is a classic homograph attack.
Emoji hostnames are almost always novelty or spoof domains, not legitimate businesses.
Refuses destinations that are its.gd itself, preventing loops and abuse of our own domain reputation.
.test, .example, .invalid, .localhost are reserved for testing per RFC 2606 and never valid public destinations.
Cross-checks the destination against links previously reported as abusive by its.gd users.
These run on our server and hit external services (Cloudflare DNS, Google Safe Browsing, URLhaus) to verify the destination is real, reachable, and not on any known blocklist.
Live DNS-over-HTTPS lookup against Cloudflare 1.1.1.1. NXDOMAIN or unresolvable hosts are rejected — you can't shorten a link to a domain that doesn't exist.
We actually fetch the destination server-side (up to 5 redirect hops) to confirm it responds. Dead hosts and permanent errors are rejected.
Reports the final host after all redirects. If the destination silently lands somewhere different from what you pasted, you see it before publishing.
Live lookup against Google Safe Browsing v4 for malware, social engineering (phishing), and unwanted-software listings.
Live lookup against URLhaus (abuse.ch), the community malware-URL database of active distribution hosts.
Saw something off? Tell us and we'll review.