RawHTTP.com was created to help in the investigation of suspicious links. There are a few key areas:

Top Section

The top section information should be mostly self-evident, but it will include the interpretation of the input URL, a sanitized version for safe copy-pasting, as well as the IP address as resolved at the time of the request.

The Domain Suspicion value is computed by my own experimentation with machine learning. It looks at select features of only the domain information (e.g. www.example.com) to help to decide whether or not it's suspicious. This value shouldn't be considered a risk score or any real analysis.

HTTP Headers

The HTTP Headers section does two things. One, it shows the order of requests that took place to reach the destination. For instance, if there are redirects, it'll display the 302 or 301 status code, and below it will be the next request until it reaches the destination. Secondly, it shows the HTTP response headers for requests it makes, which can give insight into the server configuration for the URL.


In the event of investigating suspicious links in an email, for example, and it is suspected to be phishing, it's convenient to be able to see what the phishing page looks like. The screenshot as displayed should faithfully look the same as it would in a webbrowser, but it may not be exact. Clicking the screenshot will open a fullsized version in a new tab.


This section will display different information depending on the URL it's returning. Possible information may include:


Something worth considering is that if the URL entered performs some action for example, unsubscribing from a mailing list, or anything else, those actions will still be taken. Be careful not to submit URLs that contain personal information such as referral links if you're concerned about the owner of the site having that information


In an effort to be helpful, domains that contain [.] will be replaced with a single dot and [:] in the scheme/protocol will be replaced with a single colon. This takes away a little bit of the annoyance of pasting sanitized URLs, but could, in theory, give an inconsistent result if that was unexpected.