URL Safety API — How to Detect Phishing and Malicious Links Before Your Users Click
Mobily Team
Content Strategist & Link Expert
Most developers do not add link-safety checks until after an incident. A user pastes a phishing URL into a form submission. A transactional email relays a malware link. A webhook delivers a redirect attack. By then, the damage is done — compromised accounts, breached inboxes, support tickets, and the kind of press coverage no team wants.
Adding URL safety scanning is a single API call. This guide covers why it matters, how to integrate it, and what to look for in a scanning provider.
The Scope of the Problem
Phishing and malware links are not rare edge cases. Google's Safe Browsing service registers millions of unsafe URLs per week. The Anti-Phishing Working Group tracked over 4.7 million unique phishing sites in 2023. The vast majority arrive via normal-looking links — HTTP or HTTPS, short domains, redirect chains — indistinguishable to the naked eye.
For a platform that accepts user-submitted content, the threat surface is large:
- SaaS tools with bio pages or profiles — users paste external URLs into profile fields that other users see and click
- Email platforms — every outbound link in a transactional or marketing email is a liability if it points somewhere malicious
- Browser extensions — on-click checks have a direct line to user browsing sessions
- Webhook processors — URLs arriving from third-party services are not inherently trusted
- Marketplaces and directories — business listings, affiliate links, partner URLs all need vetting
Each of these surfaces benefits from a pre-flight URL safety check: scan the link before it is stored, before it is sent, before the user clicks.
What a URL Safety API Actually Checks
A production-grade URL safety API does more than match a domain against a blocklist. The checks that matter:
Google Safe Browsing
Google maintains a database of over five billion known unsafe URLs — phishing pages, malware distributors, unwanted software installers, and social engineering sites. The Safe Browsing API updates in near-real time, making it the highest-coverage signal available for link safety.
Any URL scanning service worth using should check against Google Safe Browsing as a baseline.
Threat Heuristics
Blocklist matching only catches known-bad URLs. Heuristics catch newly registered suspicious domains, suspicious TLDs commonly used in phishing campaigns (.zip, .xyz, .tk), and URL patterns that correlate with malicious redirects — before they appear on any blocklist.
Private IP and Reserved Range Rejection
A URL pointing to 127.0.0.1, RFC 1918 addresses, or IPv6 loopback is almost certainly a server-side request forgery (SSRF) attempt. A safe URL API should reject these outright with a 400, not return a verdict on them.
Redirect Chain Analysis
Some phishing attacks hide behind clean intermediate domains that redirect to malicious destinations. Checking only the top-level URL misses these.
Integrating the Mobily URL Safety API
Mobily's URL Safety API covers all of the above. One POST request, one JSON response. Get your free API key at mobily.ca/url-safety-api — 100 scans per month, no credit card required.
Scan a Single URL
curl -X POST https://mobily.ca/api/v2/url-safety/scan \
-H "X-API-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"url": "https://example.com/user-submitted-link"}'
Response:
{
"success": true,
"data": {
"url": "https://example.com/user-submitted-link",
"is_safe": true,
"threat_type": null,
"confidence": 0.99,
"scan_time_ms": 87,
"cached": false,
"scans_remaining": 9847,
"plan": "starter"
}
}
is_safe: false returns a threat_type field identifying the category — phishing, malware, unwanted_software, suspicious_tld, or private_ip.
PHP Integration
function isSafeUrl(string $url): bool {
$response = file_get_contents('https://mobily.ca/api/v2/url-safety/scan', false,
stream_context_create([
'http' => [
'method' => 'POST',
'header' => "X-API-Key: YOUR_API_KEY\r\nContent-Type: application/json",
'content' => json_encode(['url' => $url]),
'timeout' => 3,
]
])
);
$data = json_decode($response, true);
return ($data['data']['is_safe'] ?? false) === true;
}
// Use it before storing any user-submitted URL
if (!isSafeUrl($request->input('profile_url'))) {
return back()->withError('That URL failed our safety check.');
}
Node.js Integration
async function isSafeUrl(url) {
const res = await fetch('https://mobily.ca/api/v2/url-safety/scan', {
method: 'POST',
headers: {
'X-API-Key': process.env.MOBILY_API_KEY,
'Content-Type': 'application/json',
},
body: JSON.stringify({ url }),
signal: AbortSignal.timeout(3000),
});
const { data } = await res.json();
return data?.is_safe === true;
}
Python Integration
import httpx
def is_safe_url(url: str) -> bool:
resp = httpx.post(
"https://mobily.ca/api/v2/url-safety/scan",
headers={"X-API-Key": MOBILY_API_KEY},
json={"url": url},
timeout=3.0,
)
return resp.json().get("data", {}).get("is_safe", False)
Batch Scanning
When you need to check a list of URLs at once — processing a sitemap, vetting a bulk import, scanning all links in an email before send — use the batch endpoint. Up to 1,000 URLs in a single call on the Enterprise tier:
curl -X POST https://mobily.ca/api/v2/url-safety/scan/batch \
-H "X-API-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"urls": ["https://link-one.com", "https://link-two.com", "https://link-three.com"]}'
The response contains a results array in the same order as the input, so you can zip results to your source list without any guesswork.
Redis Caching: Why Repeat Checks Are Fast
Mobily's scanning layer caches verdicts in Redis for one hour. If the same URL is scanned twice within the cache window, the second response returns in under 5 ms — no external lookup required. The "cached": true field in the response tells you when a cached result was served.
For high-throughput use cases — scanning every link in a high-volume email platform, for example — caching dramatically reduces both latency and your scan quota usage.
PIPEDA Compliance and Why It Matters for Canadian Products
When your app scans a user-submitted URL, the URL itself is data — and depending on context, it can be personal information. The destination URL in a patient portal, a legal intake form, or a client onboarding workflow carries sensitivity that most URL scanners do not account for.
Mobily is hosted in Montreal, Canada. All scan logs, API key data, and usage records stay on Canadian infrastructure under PIPEDA. The API includes:
- 90-day scan log retention — visible in your dashboard, exportable on demand
- Right to deletion — purge your scan history via the export endpoint on any tier
- Data portability — export all logs and keys as JSON at any time
- No third-party data sales — your URLs and results are never shared with ad networks or analytics platforms
For SaaS products serving Canadian businesses, healthcare providers, legal professionals, or financial institutions, choosing a PIPEDA-compliant scanning vendor is not optional — it is part of your own compliance story.
Pricing: From Free to 1 Million Scans per Month
| Plan | Scans/month | Price |
|---|---|---|
| Free | 100 | $0 |
| Starter | 10,000 | $39 CAD/mo |
| Pro | 100,000 | $129 CAD/mo |
| Enterprise | 1,000,000 | $399 CAD/mo |
All prices in CAD. No per-endpoint billing, no overage surprises. Every tier includes the full API feature set, 90-day logs, and data export.
A Starter plan at $39 CAD/month covers 10,000 scans — meaningful volume for most small SaaS platforms at a cost well below the liability of letting a single phishing link through.
Three Platforms That Should Add URL Safety Checks Today
SaaS Platforms with User Profiles
Any platform where users can set a website URL, social link, or portfolio link in their profile is a distribution vector for malicious links. Other users see those links and click them — often without any warning that they are leaving the platform.
A URL safety check at profile-save costs one API call. It prevents your platform from becoming an unwitting phishing vector and protects the users who trust you with their sessions.
Email Marketing and Transactional Email Platforms
Every link in every outbound email is an implicit endorsement. If a transactional email from your platform contains a malicious URL — whether inserted via a compromised template, a rogue integration, or a bad actor with API access — your domain reputation takes the hit.
Pre-flight link scanning before send catches malicious URLs before they reach inboxes, and the scan log gives your compliance team a record of what was checked and when.
Browser Extensions
Extensions that handle links — redirectors, privacy tools, bookmark managers, tab organizers — have privileged access to user browsing. Adding URL safety verdicts for flagged links turns a utility into a protective layer. Enterprise tier latency under 100 ms at p95 makes on-click checks viable without disrupting user flow.
Getting Started in Three Steps
- Get a free API key at mobily.ca/url-safety-api — 100 scans per month, no credit card required
- Test with the code samples above — the API responds in under 200 ms on average, and the OpenAPI 3.0 spec at mobily.ca/url-safety-openapi.yaml drops straight into Postman or any codegen tool
- Upgrade to Starter at $39 CAD/month when you are ready for production volume
The free tier covers evaluation and low-volume side projects. The Starter tier handles most small SaaS platforms at production load. Pro and Enterprise scale to high-throughput email and marketplace workloads.
Phishing and malware links are a solved problem at the API level. One POST call, one boolean, one decision — before the URL ever reaches your database, your users, or your outbox. For Canadian platforms with compliance requirements, PIPEDA-compliant hosting makes the choice straightforward.
