Even well-known websites ship with broken HTML, sketchy inline scripts, missing HSTS, or sloppy cookies.
That makes it harder for everyone, tech-savvy or not, to assess whether an unknown link is safe, especially with AI-generated scams on the rise, e.g., trap page —> auto-redirect stray clicks to legit site.
I built LegitURL to reveal subtle signals that might otherwise go unnoticed.
What it does:
LegitURL (Swift / iOS, open-source): – Runs offline: parses URL components, flags homograph attacks, entropy spikes, scammy terms – Sends a single stripped GET request (no cookies, no query) to analyze: – Silent or shady redirects (even without a Location header) – TLS cert sanity (CN/SAN match, freshness, sketchy intermediates) – Missing, broken, or contradictory CSP/HSTS headers – Cookie flags, expiry, tracking IDs – HTML structure: stripped comments, <script> tag analysis
All signals are shown transparently. You can export a PDF for humans or a JSON report for LLMs.
It’s not a malware detector or blacklist checker, it’s a structural/behavioral analyzer.
Fully on-device. Most links resolve in under 2s depending on latency.
Links – GitHub (repo + GIF demo): https://github.com/sigfault-byte/LegitURL – App Store (free / no-account): https://apps.apple.com/fr/app/legiturl/id6745583794
Still a WIP, some heuristics need tuning and edge cases are being discovered.
Would appreciate any feedback: – Are any signals missing or too strict? – UI ideas or improvements?
Thanks.