Submit a URL and find out whether it appears in the URLhaus threat intelligence feed. The response includes whether the URL is flagged as malicious, the type of threat (phishing, malware distribution, command-and-control), the data source, and additional details when available. Use it to screen user-submitted links, protect downstream systems from drive-by downloads, or enrich your security event pipeline.
Screen user-submitted links before displaying them
When users post links in chat, comments, or forum threads, check each URL before rendering it as a clickable hyperlink. Flag or block URLs that appear in threat databases to protect your community from phishing and malware.
Enrich security alerts in your SIEM pipeline
Feed URLs extracted from firewall logs, email headers, or DNS queries into this endpoint. Attach the threat classification to each event so your SOC team can prioritize investigations based on confirmed malicious indicators.
Protect webhook and integration endpoints from malicious payloads
Before following redirect URLs or downloading resources referenced in incoming webhooks, check them against the threat database. Prevents your infrastructure from connecting to known command-and-control servers or malware distribution sites.
Frequently asked questions
What threat database does this endpoint use?
The endpoint queries URLhaus, a project by abuse.ch that tracks URLs distributing malware, phishing pages, and command-and-control infrastructure. The database is updated continuously with community and automated submissions.
Does a clean result guarantee the URL is safe?
No. A clean result means the URL does not appear in the URLhaus database at the time of the check. Zero-day phishing sites or newly registered malicious domains may not yet be listed. Combine this check with other signals like domain age and SSL certificate status.
What threat types can the endpoint return?
Common threat types include "malware_download" for URLs serving malicious files, "phishing" for credential-harvesting pages, and "c2" for command-and-control endpoints. The threat_type field is null when the URL is not found in the database.
Is the URL I submit stored or logged?
No. The URL is checked against the threat database in memory and discarded after the response is sent. Nothing is written to disk or any persistent store.
Can I check multiple URLs in a single request?
Not in a single request. Each URL requires a separate API call. For bulk screening, send requests in parallel with appropriate rate limiting.
Get your API key
Free tier includes 5 requests per minute with no credit card required. Upgrade for higher limits.