What the scanneris looking for
Five concepts explain most of any scan report. Each entry covers the mechanism, the failure mode, and the fix.
HSTS
HTTP Strict Transport Security
When you type a bare domain into a browser, the first request defaults to plain HTTP. An attacker on the same network can intercept that single unencrypted request and keep you on a fake HTTP version of the site — the classic SSL-stripping attack.
HSTS is one response header that closes this window. Once a browser sees it, it refuses to load the site over HTTP for the duration of max-age — the upgrade happens inside the browser before any packet leaves your machine.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadLinkSentinel flags max-age under one year, missing includeSubDomains, and absence from the preload list.
CSP
Content Security Policy
Cross-site scripting works because browsers happily execute any script a page includes — whether the developer put it there or an attacker injected it through a comment field. CSP is an allowlist: the server declares which origins may run script, load styles, or embed frames, and the browser refuses everything else.
A missing CSP turns any small injection bug into total page compromise. Even a permissive policy removes the most common attack paths, which is why this single header carries the heaviest weight in the LinkSentinel score.
Content-Security-Policy: default-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'Start in Content-Security-Policy-Report-Only mode and tighten from observed violations.
Redirect chains
The path between click and destination
A link rarely lands where it points. Shorteners, tracking wrappers, and protocol upgrades mean a single click can hop through four or five servers before the page renders. Each hop is a place where the destination can be swapped, a token can be read, or plain HTTP can expose the URL to the network.
LinkSentinel walks the full chain and shows every hop with its status code and protocol. The pattern to fear is not length — it is an HTTPS chain that dips back to HTTP, or a final destination on a domain unrelated to the one you clicked.
Open redirects — where a site forwards to any URL passed in a parameter — are a phishing staple, because the visible domain looks trustworthy.
Tracking
Cookies, pixels, and session recorders
Third-party cookies, advertising pixels, and session-replay scripts let outside companies observe your behavior on a site you chose to visit. The mechanics are mundane — a cookie scoped to an ad network, a 1×1 image request, a script that streams your mouse movements — but the aggregate is a cross-site profile you never agreed to.
The scanner separates first-party cookies (often functional) from third-party ones (almost always tracking), and checks whether any of it fires before a consent dialog could possibly be answered.
Secure, HttpOnly, and SameSite flags are graded on every cookie — they decide whether the cookie can leak over HTTP, be read by scripts, or ride along on cross-site requests.
Phishing signals
Deception, not vulnerability
Everything above measures how well a site defends its visitors. Phishing is different: the site itself is the attack. The signals are look-alike domains (rnicrosoft.com), fresh registrations dressed as established brands, login forms on domains that have no business asking, and URLs engineered to bury the real hostname.
No single signal is proof. A scanner reports the evidence — domain age, chain destination, form targets — and the verdict stays with the human reading it. That is why every LinkSentinel finding shows its raw evidence instead of a bare verdict.
When in doubt: never enter credentials on a page you reached from a link. Navigate to the site directly.
Theory done. Test a real link.
Open the scanner