URL Shortener Safety: How to Expand and Inspect Shortened Links

17 Jun 2026 1,136 words

URL Shortener Safety: How to Expand and Inspect Shortened Links

Shortened URLs are everywhere — in emails, social media posts, SMS messages, and marketing campaigns. Services like bit.ly, TinyURL, and t.co take a long URL and compress it into a short string of characters. While convenient, shortened URLs hide the final destination, making them a popular tool for phishing attacks, malware distribution, and spam. Learning how to safely expand and inspect shortened URLs is an essential security skill.

How URL Shorteners Work

A URL shortener stores a mapping between a short alias and the original long URL. When you visit the short link, the service issues an HTTP redirect (typically a 301 or 302) that sends your browser to the destination.

Short URL:  https://bit.ly/3xYzAbC
                  │
                  ▼
        bit.ly server looks up alias
                  │
                  ▼
    Response: HTTP 302 → Location: https://example.com/long-url
                  │
                  ▼
       Browser navigates to destination

The redirect happens so fast that you never see the intermediate step. An attacker could point that short URL to a phishing page, a drive-by download site, or a lookalike domain that tricks you into entering credentials.

The Dangers of Blindly Clicking Shortened URLs

  • Phishing — The short URL could lead to a fake login page that steals your credentials
  • Malware — The destination might host a drive-by download that infects your device
  • Pharming — Redirect chains can route through multiple domains to evade detection
  • Tracking — URL shorteners log every click, including your IP address, device, and timestamp
  • Content spoofing — The destination might change after the link is shared, a tactic called "link rot"
  • Redirect loops — Malicious configurations can trap your browser in an infinite redirect

How to Inspect a Shortened URL Safely

Method 1: Use a Redirect Checker Tool

The safest way to inspect a shortened URL is to use a dedicated unshorten tool that follows the redirect chain server-side without exposing your browser. The Shortened URL Checker tool on Help2Code resolves the full redirect chain and displays the final destination URL without you ever visiting the target.

# Linux / macOS — follow redirects with curl (safe, no browser)
curl -sI -o /dev/null -w '%{redirect_url}' https://bit.ly/3xYzAbC

# Show the full redirect chain
curl -sL -o /dev/null -w '%{url_effective}' https://bit.ly/3xYzAbC

Method 2: Preview with URL Shortener Services

Some URL shorteners offer a preview feature:

# Add a plus sign to bit.ly URLs
https://bit.ly/3xYzAbC+   → shows stats and destination

# Or use the API
https://api-ssl.bitly.com/v4/expand

Method 3: Manual Inspection in the Browser

Most modern browsers show the destination URL in the status bar when you hover over a link. Right-click and copy the link address to inspect it before clicking. Some browsers also offer link preview features.

Understanding HTTP Redirects

When a shortened URL resolves, the server returns an HTTP redirect status code:

Status Code Type Description
301 Moved Permanently Permanent redirect; search engines update their index
302 Found Temporary redirect; most shorteners use this
303 See Other Forces GET request after POST
307 Temporary Redirect Similar to 302 but preserves HTTP method
308 Permanent Redirect Similar to 301 but preserves HTTP method

URL shorteners typically use 301 or 302. A redirect chain occurs when multiple redirects happen before reaching the final URL. Some malicious setups use chains to hide the ultimate destination.

# Trace redirect chain with curl (verbose mode)
curl -v https://bit.ly/3xYzAbC 2>&1 | grep -i 'location:'

# Or use the -L (follow) and -w (write-out) options
curl -sL -w "\nFinal URL: %{url_effective}\nRedirects: %{num_redirects}\n" -o /dev/null https://bit.ly/3xYzAbC

Detecting Suspicious Shortened Links

Look for these red flags when inspecting a shortened URL:

Flag 1: Unknown or unusual short domain

Common shorteners: bit.ly, tinyurl.com, t.co, ow.ly, is.gd, buff.ly, rebrand.ly

If the domain is unfamiliar (e.g., xyz.ly, sho.rt, shorten.xyz), exercise extra caution.

Flag 2: Multiple redirect hops

A legitimate short link typically has one redirect. Two or more hops suggest an attempt to evade URL scanners.

Flag 3: Mismatched display text and destination

Always check that the visible link text matches the actual destination. An email claiming to link to https://www.paypal.com but the short URL resolves to paypa1-security.com is a phishing attempt.

Flag 4: Shortened links in unsolicited messages

Be especially wary of shortened URLs in emails, SMS, or direct messages from unknown senders. Phishing campaigns frequently use URL shorteners to bypass email filters.

Code Examples

Python: Expand a Shortened URL

import requests

def unshorten_url(url: str) -> str:
    try:
        response = requests.head(url, allow_redirects=True, timeout=10)
        return response.url
    except requests.RequestException as e:
        return f"Error: {e}"

print(unshorten_url('https://bit.ly/3xYzAbC'))

JavaScript (Node.js): Follow Redirects

const https = require('https');

function unshorten(url) {
  return new Promise((resolve, reject) => {
    const request = https.request(url, { method: 'HEAD' }, (response) => {
      resolve(response.headers.location || url);
    });
    request.on('error', reject);
    request.end();
  });
}

unshorten('https://bit.ly/3xYzAbC').then(console.log);

PHP: Get Final URL After Redirects

function unshortenUrl(string $url): string {
    $ch = curl_init($url);
    curl_setopt_array($ch, [
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_FOLLOWLOCATION => true,
        CURLOPT_NOBODY => true,
        CURLOPT_TIMEOUT => 10,
        CURLOPT_SSL_VERIFYPEER => true,
    ]);
    curl_exec($ch);
    $finalUrl = curl_getinfo($ch, CURLINFO_EFFECTIVE_URL);
    curl_close($ch);
    return $finalUrl ?: $url;
}

echo unshortenUrl('https://bit.ly/3xYzAbC');

Best Practices for URL Shortener Safety

  • Never click blindly — Always inspect a shortened URL before visiting it
  • Use an unshorten tool — Server-side redirect checkers are safer than clicking in your browser
  • Check the final domain — Verify the destination domain matches your expectation
  • Look for HTTPS — The final URL should use HTTPS to prevent interception
  • Be wary of mismatched display text — Phishing often hides behind misleading link text
  • Don't trust unsolicited short links — Treat any shortened URL from an unknown sender as suspicious
  • Use browser extensions — Some extensions automatically expand and preview short URLs
  • Educate your team — In workplace settings, ensure everyone knows how to check short links safely

Online Tool

The Shortened URL Checker tool on Help2Code safely expands any shortened URL server-side. Paste a bit.ly, TinyURL, or any other short link to see the complete redirect chain and final destination URL — without exposing your browser to potential threats. The tool shows every redirect hop, the HTTP status code at each step, and the ultimate destination.

Conclusion

Shortened URLs serve a legitimate purpose — they make long links manageable in tweets, emails, and SMS — but they also obscure the destination, creating an opportunity for attackers. Always expand and inspect a shortened URL before clicking, especially in unsolicited messages. Use the Shortened URL Checker tool to safely resolve any short link, and apply the best practices outlined above to protect yourself and your organization.

About this article

Learn how to safely inspect shortened URLs before clicking. Expand bit.ly, tinyurl, and other short links, view redirect chains, and protect against phishing.

Related Articles

Related Tools

Shortened Url Checker
Help2Code Logo
Menu
Blog
Encoder & Decoder
Utility
General
Image Tools
PDF Tools
Minifier
Web Dev
Laravel
Tailwind
Info / Legal