LegitURL
Like a nutrition label for links — LegitURL reveals how secure and trustworthy a website really is, based on technical behavior, not reputation.
Built for iOS with privacy in mind. Zero tracking. One tap analysis.
Once upon a TLS
The Link, the Bodyguard, and the Shop
A 2‑minute story about what really happens when you tap a URL
The Bodyguard is the browser, the visitor is you, the Link is the Shop
1 · Badge check at the door
Is the shop even real?
Before anything else, the bodyguard checks the shop’s badge — the TLS certificate.
- A basic badge (DV) just says: “Yes, this shop exists.”
- A professional badge (OV) shows the company’s real name.
- An elite badge (EV) shows a government-verified identity.
If the badge is missing, expired, or fake:
“Sorry, no verified badge — you're not getting in.”
2 · Reading the rule sheet
Before entering, what does the shop allow?
The bodyguard opens the door just a crack and reads the posted rules — the HTTP response headers:
- Content-Security-Policy → “No fireworks, no shady deliveries.”
- HSTS, Referrer-Policy → “Don’t shout secrets outside.”
- Permissions-Policy → “No surprise camera flashes.”
If the rules are missing, too vague, or poorly written:
The bodyguard frowns. “This shop feels chaotic already.”
3 · Sticker time
The shop wants to tag you before you browse.
Shops use cookies to place stickers on your coat. Some are harmless, others are aggressive trackers.
| Sticker type | Cookie meaning |
|---|---|
| Can’t be edited | HttpOnly |
| Only valid here | SameSite=Lax or Strict |
| Works in all shops | SameSite=None (tracker!) |
| Permanent ink | Very long expiry date |
Polite shops keep stickers small. Pushy ones slap on barcode trackers the size of your chest.
4 · Size, language, and layout
How big is the shop? Can we understand it?
Once allowed in, the bodyguard checks:
- What language is spoken? (lang= tag)
- Is the floor plan valid HTML?
- Are key elements present (title, doctype, charset)?
If stairs are missing or there’s a hole in the floor:
The bodyguard may try to patch it… but it’s not happy.
5 · Staff and deliveries
Who’s allowed to talk to you inside?
The bodyguard reads the shop’s script policy (Content-Security-Policy: script-src):
- Are only known staff allowed (trusted domains)?
- Are bad actors barred from entering?
- Are ID badges (nonces or hashes) required?
- Can anyone scribble notes on the walls? (inline scripts). Are those scribbles approved, or just chaos?
“Unauthorized script from shadycdn.ru? Front kick.”
If the shop uses nonce or sha256, only scripts with matching badges are allowed to speak. With strict-dynamic, even friends of the badge-holders must prove themselves.
6 · The Magicians
Some shops hire wizards.
They're called scripts. These are magicians that live in the shop and can perform powerful actions:
- They can paint the walls, restock the shelves, teleport doors into place…
- They can also whisper into your ear, steal your wallet, or enchant you to do things without knowing.
Inline scripts are like small local magicians — they only know one spell, written into the wall.
External scripts bring in outside magicians — they carry books of spells from faraway places (like CDNs or ad networks).
The Content-Security-Policy is the guild that manages their power:
- If a script doesn't have an ID badge (nonce or sha256) — the guard yells:
“YOU HAVE NO POWER HERE!” - With strict-dynamic, even invited magicians must prove they're trustworthy — just showing up isn't enough.
Without a good CSP, any magician can sneak in and do whatever they want.
7 · Inside the shop
Now you’re browsing. What’s going on behind the scenes?
The bodyguard watches your surroundings:
- Are there trapdoors in the floor? (e.g., eval, hidden redirects)
- Is someone reading or editing your stickers ? (scripts accessing document.cookie)
- Is someone trying to make you do something without you agreeing ? (auto-submitting forms)
Good shops are simple: you walk in, look around, and leave. Bad ones try to slip something in your pocket — or take something out.