What does this URL validator check?

This URL validator checks whether a URL is syntactically valid according to modern browser rules, optionally flags risky patterns (like missing HTTPS or spaces), and can attempt to fetch the URL to show its HTTP status code and redirect chain. It does not perform deep malware or phishing analysis.

Is this URL validator safe to use?

Yes. Validation is done in your browser and URLs are only requested directly from your browser to the target site using fetch. CalcDomain does not log or store the URLs you test. For highly sensitive or private URLs, avoid testing them in any online tool.

Does a valid URL mean the site is safe?

No. A URL can be perfectly valid and still lead to a malicious or compromised site. This tool focuses on syntax, reachability, and basic redirection behavior. For security reputation checks, use dedicated services like your browser's built-in protections or security vendors.

Why do some URLs show CORS or network errors?

Many websites block cross-origin requests from browsers or require HTTPS, which can cause CORS or mixed-content errors. That does not necessarily mean the URL is down; it just means the browser was not allowed to fetch it from this page. You can still use the syntax validation and manual checks.

How do I validate multiple URLs at once?

Paste or type one URL per line in the Bulk URL Validator section and click "Validate list". The tool will validate syntax for each URL and show a summary of valid and invalid entries. For privacy and performance reasons, bulk mode does not auto-fetch HTTP status codes.

URL Validator – Check URL Syntax, Status Code & Redirects

How this URL validator works

This tool is designed to be a practical, developer-friendly alternative to heavy link checkers and raw regex snippets. It focuses on three layers of validation:

Syntax validation using the browser's built‑in URL parser.
Safety heuristics that flag suspicious patterns (spaces, control characters, punycode, etc.).
Live HTTP checks (optional) to see status codes and redirect chains.

1. Syntax validation (what counts as a valid URL?)

Instead of relying on a brittle regular expression, the validator uses the same parsing rules that modern browsers use:

try {
  const u = new URL(input);
  // If we get here, the URL is syntactically valid
} catch (e) {
  // Invalid URL
}

For a URL to be considered syntactically valid here:

It must include a scheme (e.g., http://, https://, ftp://).
The hostname must be non-empty and not contain spaces or control characters.
Internationalized domains (IDN) are supported via punycode (e.g., https://xn--d1acpjx3f.xn--p1ai).

2. Safety heuristics (is the URL “safe-looking”?)

A URL can be syntactically valid and still be risky. This validator optionally flags patterns that often appear in phishing or spam links:

Missing https:// (plain HTTP) for web URLs.
Whitespace characters or encoded spaces in the host or path.
Non-printable or control characters.
Very long query strings or fragment identifiers.
Multiple @ signs or suspicious use of URL-encoded characters.

These are heuristics only. A “safe-looking” URL is not guaranteed to be safe, and a flagged URL is not guaranteed to be malicious.

3. HTTP status & redirect chain

When you enable “Try to fetch HTTP status & redirects”, the tool uses fetch() to request the URL from your browser:

Shows the final HTTP status code (e.g., 200 OK, 404 Not Found, 301 Moved Permanently).
Lists intermediate redirects (e.g., http:// → https:// → canonical URL).
Reports network, CORS, or mixed-content errors when the browser blocks the request.

Many sites block cross-origin requests, so a CORS error here does not always mean the URL is down. It simply means the browser was not allowed to fetch it from this page.

Common URL validation pitfalls

1. Overly strict regex patterns

Popular regex patterns from libraries or Stack Overflow often:

Reject valid but uncommon schemes (mailto:, tel:, urn:).
Fail on internationalized domain names or new TLDs.
Are hard to maintain and debug.

Using the browser's URL object is usually more robust for web applications. For server-side validation, consider well-tested libraries in your language of choice.

2. Confusing “valid” with “safe”

A URL can be:

Valid (correct syntax) but unsafe (malicious destination).
Invalid (broken syntax) but harmless.

Always combine URL validation with other security layers: HTTPS, content security policy, server-side validation, and security scanning where appropriate.

FAQ

Does this tool check for malware or phishing?

No. It does not query external reputation databases. It only checks syntax, basic safety heuristics, and connectivity. Use your browser's built-in protections and reputable security tools for malware and phishing detection.

Can I use this validator in production code?

You can use the same approach in your own code (browser or server side). For production systems, you should:

Validate on both client and server.
Sanitize and encode URLs before storing or rendering them.
Log and monitor suspicious patterns.

Is bulk validation rate-limited?

Bulk mode in this page only performs syntax checks locally in your browser, so there is no external rate limit. For performance and privacy, it does not auto-fetch HTTP status codes for each URL.

URL Validator

Single URL Validator

Bulk URL Validator (one per line)