Check if a website is safe before you trust it. We scan for malware and phishing, check the HTTPS certificate, the domain age, where it redirects, and more, then give you a clear verdict.
A website safety checker tells you whether a site is safe to trust before you click a link, buy from a shop, or type in your card details. Paste a URL and this tool runs six independent checks, then combines them into a 0-100 safety score with a plain-English verdict and the exact reasons behind it. It is built to be honest: it never promises a site is 100% safe, and it explains what each signal actually means. ToolsPivot rebuilt this tool from the ground up so a single suspicious link no longer has to be a guess.
The ToolsPivot Website Safety Checker scans any URL across six security signals and returns one graded result you can act on in seconds. It checks the site against Google's malware and phishing lists, inspects the HTTPS certificate, looks up how old the domain is, follows the redirect chain to the true final destination, reviews DNS records, and identifies the hosting provider and country. Each finding raises or lowers a 0-100 score, and the tool sorts everything into two plain lists: what looks good and what to watch out for.
Most people reach for it in one of two moments. The first is before clicking an unfamiliar link from an email, a text message, or a social post. The second is before handing over money or personal data to a shop or service they have never used. In both cases the same question comes up, and it usually gets answered with a shrug: is this website safe? This tool replaces the shrug with a report.
The core problem it solves is false reassurance. A lot of free checkers give a single-source yes or no, and a green light from one database can leave you feeling safe about a site that a brand new scam has not been flagged for yet. By reading six signals at once and showing the reasoning, the checker gives you enough context to make your own call instead of trusting a single thumbs-up.
One score, not a guess. Six separate checks roll up into a single 0-100 number and a verdict tier, so you get a clear read instead of piecing together clues yourself.
Plain-English reasons. Every result comes with "looks good" and "watch out" lists written in normal language, so you know exactly why a site scored the way it did.
The real destination revealed. The tool follows redirects to the true final URL, which matters most when a shortened or disguised link hides where you are actually going.
Honest by design. It never claims a site is guaranteed safe, and it actively corrects the myth that a padlock means a site is trustworthy.
Works before you commit. Run a check before you buy, log in, or share data, which is the moment the answer is actually worth something.
Free with no signup. There is no account, no daily cap, and no upsell to a paid plan to see your full result.
Available in 18 languages. The interface and verdicts are localized, so non-English speakers get the same clarity as everyone else.
Six-signal scan. The tool runs malware and phishing, HTTPS and SSL, domain age, redirects, DNS hygiene, and hosting checks on every URL you submit.
Threat detection via Google Web Risk. URLs are checked against Google's malware, social engineering, and unwanted software lists, with Safe Browsing supported as a fallback.
Certificate inspection. It reads the SSL certificate issuer, validity dates, self-signed status, and whether the certificate actually matches the domain, going well past a simple secure-or-not badge that our SSL Checker can also confirm in detail.
Domain age lookup. The tool queries RDAP registration data and flags very new domains, a common signal in fresh scam campaigns you can dig into further with the Domain Age Checker.
Redirect tracing. It follows the full redirect chain within tight limits and shows when a link hops to a different domain, which you can also confirm with the www Redirect Checker for your own pages.
DNS record review. MX, SPF, and DMARC records are checked as a rough measure of whether the domain is properly configured, and the DNS Lookup Tool gives you the raw records if you want them.
Hosting and location detail. The tool resolves the host's IP, country, and provider so you can see where a site actually lives, similar to the Hosting Checker and Domain into IP tools.
Verdict tiers. Results land in one of four bands, safe, caution, risky, or dangerous, and a confirmed threat match forces the dangerous tier regardless of the other scores.
Two-list breakdown. Findings are split into a "looks good" list and a "watch out" list so the reasoning is never hidden behind a single label.
Padlock myth-buster. Every report includes a short note explaining why HTTPS alone does not make a site trustworthy.
Next-step advice. A "what to do" box tells you how to act on the verdict instead of leaving you with a score and no plan.
Enter a URL or domain. Paste the address you want to check. The tool adds https:// if you leave it off and rejects local or private addresses.
It traces the redirects. The checker follows the link, hop by hop, to find the true final destination and flags any jump to a different domain.
It inspects HTTPS and the certificate. It fetches the SSL certificate and reads the issuer, dates, self-signed status, and whether the certificate matches the site.
It checks age, threats, and hosting. It looks up the domain's registration date, runs the URL against Google's threat lists, reviews DNS records, and resolves the hosting IP, country, and provider.
It scores and explains. Each finding adjusts the 0-100 score, and you get a verdict tier, plain-English good and bad lists, the honest never-100% caveat, and clear advice on what to do next.
Reach for the checker any time a link or a site is asking for your trust and you are not sure it has earned it. The pattern is simple: if the next thing you do is click, log in, pay, or share, it is worth ten seconds first.
Before opening an unknown link. Run any link from an email, DM, or text through the tool before you click, especially anything urgent or unexpected.
Before buying from a new shop. Check an unfamiliar online store before you enter card details, particularly when the deal looks too good to be true.
Before entering login details. Verify a site is the real one and not a look-alike before you type a username and password.
When a link is shortened. Expand a shortened or disguised link to see where it really goes before you follow it, which pairs well with the URL Shortener when you need to create clean links of your own.
After scanning a QR code. Check the destination a QR code points to before opening it, since the address is hidden until you scan; the QR Code Scanner reveals the raw link first.
When something just feels off. Odd spelling in a domain, a rushed sense of urgency, or a request for payment by unusual methods are all good reasons to run a check.
The main edge case to remember: a clean result is strongest for sites that have been around long enough to build a track record. A brand new scam site can pass every automated check for a short window before anyone reports it, so treat a good score as helpful evidence, not a promise.
Context: You get an email claiming your account is locked, with a link to "verify" it. Process:
Context: A shop you have never heard of is advertising steep discounts on social media. Process:
Context: You run a small business site and want to be sure it is not flagged or compromised. Process:
A padlock in the address bar only means the connection is encrypted, not that the site behind it is honest. HTTPS certificates are free and take minutes to get, so scammers use them just as readily as legitimate businesses. A phishing page can show a perfect padlock while it steals your password over a nicely encrypted connection.
That is why ToolsPivot treats HTTPS as one signal among six, not the whole answer. A valid certificate raises the score a little, but a fresh domain, an off-site redirect, or a threat-list match will pull it right back down. The lesson worth carrying to every site you visit: the padlock protects your data in transit, and nothing more.
Your safety score is a 0-100 rating that summarizes all six checks into one number, paired with a verdict tier. A higher score means fewer warning signs were found, not a guarantee of safety. Use the tier as your headline and the two lists as the detail.
Safe (high score): No threats matched and the core signals look healthy. Reasonable to proceed with normal caution. Caution (moderate score): Some signals are weak, such as a young domain or a thin DNS setup. Slow down and verify. Risky (low score): Multiple warning signs stacked up. Avoid entering anything sensitive. Dangerous (threat match): A confirmed malware, phishing, or unwanted-software hit. Do not proceed, whatever the other numbers say.
Read the "watch out" list before you decide. One soft flag on an otherwise healthy site is different from three flags pointing the same way, and the plain-English reasons are there so you can tell the difference.
No safety checker can promise a site is safe, and ToolsPivot built this one to be deliberate about saying so. A clean result means nothing dangerous was detected at the time of the scan, not that nothing dangerous exists. Knowing the boundaries makes the tool more useful, not less.
A clean result is not a guarantee. Brand new scam and phishing sites can pass every automated check during the short window before they are reported and listed.
It reads surface signals, not intent. The tool evaluates technical trust signals; a site can be technically spotless and still run a dishonest business, so a good score is not a verdict on a company's conduct.
It checks a URL, not every page or server file. This is a visitor-side scan of the address you enter, not a deep site-owner malware audit of every file on the server.
The threat check needs a configured key. Threat detection relies on Google Web Risk, or Safe Browsing as a fallback. If no key is configured on the server, the threat line shows "unavailable" and the other five signals still score.
Some registries limit domain data. Domain age comes from RDAP, and a few top-level domains return limited or no registration data, which weakens that one signal.
Results cache briefly. Each URL is cached for about six hours, so a very recent change to a site may not appear in your result right away.
If a check leaves you unsure and you have already entered a password somewhere, change it and turn on the strongest option you can; the Password Strength Checker helps you confirm the new one holds up.
It runs six independent checks and combines them into a 0-100 score. Those checks cover malware and phishing lists, HTTPS and the SSL certificate, domain age, redirects, DNS records, and hosting. A confirmed threat match always forces the "dangerous" verdict.
Yes, it is completely free with no signup and no daily limit. You see the full score, the verdict, and every reason without hitting a paywall or an upgrade prompt.
No, a padlock only means the connection is encrypted, not that the site is honest. Certificates are free and quick to get, so scammers use HTTPS too. The checker treats it as one signal among six rather than proof of safety.
Yes, a clean result is not a guarantee of safety. Brand new scam sites can pass automated checks before anyone reports them, and a technically clean site can still run a dishonest business. Treat a good score as helpful evidence, not a promise.
The score is a 0-100 rating that summarizes all six checks, with a verdict tier of safe, caution, risky, or dangerous. A higher score means fewer warning signs were found. Always read the "watch out" list before deciding.
Paste the shortened link into the checker and read the redirect trace. The tool follows the link to its true final destination and flags any hop to a different domain, so you see where it really goes before you click.
No, only the URL you enter is used for the scan, and nothing personal is stored. Results are cached briefly for about six hours to speed up repeat checks, then discarded.
The threat line shows "unavailable" when the Google Web Risk or Safe Browsing key is not configured on the server. The other five signals still run and score normally, so you still get a useful verdict.
A very new registration date, a redirect to a different domain, a self-signed or mismatched certificate, and a match on a threat list all lower the score. Several of these stacking together is a stronger warning than any single flag.
Yes, the checker runs in any browser and works on phones, tablets, and desktops. There is no app to install and no account to create.
Google Safe Browsing is one threat source that gives a single yes-or-no result. This tool includes that threat data as one of six signals, then adds HTTPS, domain age, redirects, DNS, and hosting, and explains the reasoning in plain language.
Do not enter any personal or payment details, and close the page. If you already shared login details, change that password right away, and if you entered card data, contact your bank. Report the site through your browser or email provider if you can.