Free Tool

Free URL Expander

Reveal the destination behind any shortened URL. Check Bitly, TinyURL, t.co, ow.ly, and any short link safely before clicking. Free, server-side, no signup, no rate limits for normal use.

Enter Short URL
No signup required
Free forever
GDPR compliant
Powered by U2L

Quick Answer

A URL expander follows redirects from a shortened URL (bit.ly, tinyurl.com, t.co, etc.) to the final destination URL, so you can see where the link actually goes before clicking. The U2L expander shows the full chain, total response time, HTTPS status, and the final domain. Free, browser-safe, server-side checking.

Quick Facts

  • Major shorteners (Bitly, TinyURL, t.co, dub.sh) use 302 redirects so they can change the destination later. URL expansion follows the chain and reveals the current target.
  • Phishing campaigns hide malicious URLs behind shorteners. Expanding the URL is a 5-second safety check that prevents most click-through attacks.
  • Some short links chain 3-5 hops through tracking subdomains before reaching the final destination. The expander shows every hop.
  • wa.me, t.co, and youtu.be are 'short' but typically only have one redirect, so expansion is fast (under 200ms).
  • HTTPS-to-HTTP downgrades during expansion are flagged. If a chain ends on HTTP, your data submitted on the destination is unencrypted.
  • The expander uses a server-side fetcher with a normal Chrome User-Agent. The destination behaves identically to a real browser visit.
  • Up to 20 hops are followed; longer chains are flagged as suspicious or looping.

How to expand a shortened URL

Three steps. Paste, expand, inspect.

  1. 1

    Paste the short URL

    Any shortened URL: bit.ly, tinyurl.com, t.co, ow.ly, buff.ly, dub.sh, lnkd.in, j.mp, is.gd, t.ly, or any custom branded short. The expander handles them all the same way.

  2. 2

    Click Expand

    U2L's server fetches the URL and follows redirects up to 20 hops. Each request is made from a Cloudflare edge node with a normal Chrome User-Agent so the destination behaves like a regular browser visit.

  3. 3

    Read the destination

    Final URL is highlighted with the domain and HTTPS status. Intermediate hops are shown in a collapsible chain. Look for unexpected domains, HTTPS downgrades, or suspicious redirect counts before tapping the original link.

What is a URL Expander?

URL Expander is a tool that follows the redirect chain from a shortened URL to its final destination, so you can see exactly where the link goes before clicking. Paste any short URL (bit.ly, tinyurl.com, t.co, etc.), and the expander reveals the destination domain, the full path, and any intermediate hops. Free, server-side, no signup required.

Shortened URLs hide their destinations by design. Bitly's bit.ly/abc gives no indication whether it points to the New York Times, an affiliate marketing page, a phishing kit, or a malware download. For users receiving short links via email, SMS, social, or messaging apps, this opacity is a security risk: bad actors use shorteners specifically to bypass URL-based filters.

A URL expander solves this by doing the redirect-following work server-side and showing you the destination. You learn whether bit.ly/x9k2m goes to a real site or a phishing domain in 200ms, with no risk to your device. The expander also reveals interesting patterns in legitimate use cases: how Bitly chains tracking subdomains, how Twitter's t.co adds analytics hops, and how affiliate networks insert redirect intermediaries.

Beyond security, URL expansion is useful for marketers debugging short-link issues (a customer reported the link doesn't work, but you can see it expands to a 404), for SEO auditors verifying canonical destinations, and for content moderators reviewing flagged links at scale. The expander is a foundational tool in any toolkit that touches URL hygiene.

How does a URL Expander work?

The expander runs as a server-side function on Cloudflare's edge network. When you submit a URL, it fires an HTTP request from the closest edge region with a recent Chrome desktop User-Agent. The server captures the response: status code, Location header (which contains the next URL to follow), elapsed time. If the response is a 3xx redirect, the server fetches the next URL in the chain. This loop continues until either a non-redirect response is received or the 20-hop limit is hit.

Each hop is timed independently. Total expansion time is the sum of all hops; for a typical 1-hop short link, expansion takes 100-300ms (mostly DNS + TLS handshake on the destination). For 4-hop chains common in affiliate links, total time can hit 1-2 seconds. The expander reports per-hop timing so you can identify slow links.

SSRF protection is built in. Requests to loopback (127.0.0.1, ::1), private IPv4 ranges (10.x, 192.168.x, 172.16-31.x), private IPv6 (fc00::/7, fe80::/10), link-local (169.254.x), and cloud metadata endpoints (AWS 169.254.169.254, GCP/Azure equivalents) are blocked before the request fires. This prevents the public expander from being weaponized to scan internal corporate networks.

Some destinations strip the Location header for security or anti-bot reasons but include the redirect URL in an HTML body fallback (e.g. a meta-refresh tag or a JavaScript-redirect notice). The expander parses HTML bodies up to 16KB looking for typical redirect patterns: meta-refresh, anchor href, JS location.href. If found, it continues the chain. Beyond 16KB or non-standard patterns, the chain is reported as ending at the current hop.

Use Cases

How marketers, businesses, and developers use url expander.

Verifying suspicious shortened URLs

Got a bit.ly link from an unknown sender via email or SMS? Paste it into the expander before clicking. You see the destination in 200ms. Phishing? Affiliate spam? Real news site? You decide whether to click based on real data, not a leap of faith.

Debugging broken short links

A customer reports your branded short link returns a 404. The expander shows you exactly which hop in the chain is failing - often a stale destination or a deleted intermediate redirect. Fix isolated to the specific hop.

Auditing campaign destinations

Run every link in a marketing campaign through the expander to verify each lands on the intended page. Catches typos, deleted destinations, and mid-flight URL changes before they hit ad spend.

Compliance review of marketing assets

Compliance teams reviewing print ads or email campaigns expand every short link to verify it lands on regulated content (e.g. financial disclosures, legal terms). Standard step in regulated-industry marketing review.

Affiliate path verification

Affiliate links chain through tracking subdomains. The expander shows the full chain including the merchant's final URL, useful when verifying disclosed affiliate paths or troubleshooting tracking dropouts.

Customer-support troubleshooting

When a user says 'the link in your email doesn't work', the expander reveals whether the issue is a broken redirect, a destination that's down, or an unexpected stale URL. Cuts diagnosis time from minutes to seconds.

URL hygiene for newsletter senders

Before sending a newsletter, expand every short link in the draft. Catches dead destinations, accidentally-included internal URLs, and stale tracking links. Prevents post-send 'oops' moments.

Pre-publish QA for content marketing

Blog posts and articles often link to shortened sources. Expanding before publish ensures every short link still resolves to the intended source - especially important for evergreen content that's shared and re-shared.

Phishing investigation by security teams

Security analysts investigating phishing campaigns use expanders alongside VirusTotal and URLScan. The expander shows the full domain chain; cross-referencing with threat-intel feeds confirms whether intermediate hops are known-bad.

Tracking link-in-bio destinations over time

Influencer link-in-bio services (Linktree, Beacons) sometimes change destinations behind the scenes. Periodic expansion of an influencer's bio link tracks destination drift, useful for due diligence on partnership reviews.

URL Expander vs Alternatives

Side-by-side feature and pricing comparison with the top alternatives.

FeatureU2LCheckShortURLURLExUnshorten.ItWhereGoes
Free, no signup
Up to 20 hops101010
HTTPS / HTTP detectionLimited
SSRF-protected backendUnclearUnclearUnclearUnclear
Cloudflare edge backend
HTML body fallback for stripped headers
Per-hop timing
Domain reputation flag

URL Expander vs CheckShortURL

CheckShortURL is one of the oldest URL expanders, popular in security circles. The interface is dated but the core function works. It also flags some known-bad domains via a third-party reputation service.

U2L's expander has a cleaner UI, sub-200ms expansion via Cloudflare edge, and more thorough chain reporting. CheckShortURL's domain-reputation flag is a feature U2L's expander doesn't ship; for combined safety + expansion, you might use both. For pure expansion speed and reliability, U2L wins.

URL Expander vs Unshorten.It

Unshorten.It bundles URL expansion with a domain-reputation lookup. Users with security as the primary use case appreciate the integrated risk score.

U2L's expander focuses on accurate, fast expansion without commenting on safety; we leave domain reputation to specialized services (VirusTotal, URLScan). For a 'is this URL safe?' check, Unshorten.It's combined approach is convenient. For 'where does this URL actually go?' alone, U2L is faster.

Best Practices

Always expand before clicking unknown short links

5 seconds of expansion saves you from phishing kits, malware drops, and dodgy affiliate redirects. Make it a habit for any short link from a non-trusted sender.

Check the final domain, not just the URL string

Phishing campaigns use lookalike domains: amaz0n-login.com, paypaI.com (capital I), microsoft-secure.com. Read the final domain carefully; the URL path is window dressing.

Watch for HTTPS-to-HTTP downgrades

If a chain starts on HTTPS and ends on HTTP, the destination is unencrypted. Don't submit credentials, payment info, or PII on the final page.

Be suspicious of long chains

Legitimate short links typically have 1-3 hops. A 5+ hop chain is either a tracking pixel cascade (less harmful) or a cloaking attempt (very harmful). Investigate before clicking.

Verify domain consistency in affiliate links

Affiliate URLs should redirect to the disclosed merchant. If the chain lands on a different merchant or an unexpected domain, the affiliate path may be hijacked or stale.

Use the expander in your campaign QA

Before launching ads or sending campaigns, run every link through the expander. Catches broken redirects and stale destinations before they hit budget.

Cross-reference with VirusTotal for safety

The expander shows where a URL goes; it doesn't say if the destination is safe. For security-critical decisions, cross-reference the final domain against VirusTotal or URLScan.io.

Expand from a clean network

If you suspect your network's DNS is compromised (resolving real domains to fake IPs), the expander result may be misleading. Run expansion from a different network or VPN to verify.

Common Mistakes to Avoid

Trusting the path, not the domain

A URL like https://malicious.com/google.com/login looks like Google because of the 'google.com' in the path, but the actual domain is malicious.com. Read the domain (everything before the third slash) carefully.

Assuming all shorteners are safe

Bitly, TinyURL, and t.co are widely trusted but anyone can shorten any URL. The shortener brand says nothing about destination safety. Always expand before clicking.

Ignoring HTTPS / HTTP status

A destination on HTTP is not just less secure; on a public Wi-Fi network, anyone on the same network can read your traffic. Check the final HTTPS flag before submitting any data.

Forgetting to check the URL after expansion

Expanding shows the destination, but if you immediately click the original short link without re-checking, the destination might have changed (302 redirects can be swapped). For high-stakes decisions, re-expand right before clicking.

Treating the expander as a malware scanner

The expander shows where a URL goes; it doesn't analyze whether the destination is malicious. For malware detection, use VirusTotal or URLScan as the second step after expansion.

Pasting URLs from clipboard with hidden characters

Some chat apps insert zero-width characters or URL-encoded variants when copying. Always paste into a plain text editor first to verify the URL is what you think it is, then expand.

Expanding through a corporate proxy

Corporate proxies sometimes intercept and rewrite URLs. The expander result might reflect the proxy's intermediary, not the real destination. Run from a personal device on a trusted network for accurate results.

Technical Specifications

Maximum hops20 (matches major browser limits)
Request methodHEAD with GET fallback
User-AgentRecent Chrome desktop UA so destinations behave normally
Body parserReads up to 16KB of HTML body for redirect URL extraction (meta-refresh, anchor href fallback)
SSRF protectionLoopback, private IPv4/IPv6, link-local, cloud metadata endpoints blocked
Edge locationCloudflare global network (closest to user)
Typical expansion time200-500ms for 1-3 hop chains; 1-2s for 4-6 hop chains
Supported shortenersAll standard shorteners: bit.ly, tinyurl.com, t.co, ow.ly, buff.ly, dub.sh, lnkd.in, j.mp, is.gd, t.ly, custom branded, etc.

Industry-Specific Use Cases

Security and threat intelligence

Security analysts investigating phishing, malware, and BEC campaigns use URL expanders as a first-pass tool. Combined with VirusTotal and URLScan for domain reputation, the expander is the foundation of URL-based investigation workflows.

Marketing and growth teams

Pre-launch QA for campaigns, debugging broken short links, auditing affiliate paths. The expander is the marketer's reverse-engineering tool when something looks off in attribution or click reports.

SEO and digital agencies

Auditing client redirects, verifying canonical URLs, debugging post-migration issues. The expander shows the chain in a single view; manual verification is too slow for client volume.

IT helpdesk and customer support

Support agents use the expander to verify whether a customer-reported broken link is actually broken, or which hop in the chain is the problem. Standard tool in helpdesk URL-debugging workflows.

Compliance and legal teams

Verifying that marketing-disclosed URLs lead to the disclosed destinations (regulated industries: pharma, finance, gaming). The expander provides an auditable trail of the actual chain for compliance documentation.

Email security and DMARC analysts

Email security tools sometimes flag short links as suspicious; expanders verify whether the destination is legitimate. Useful for managing false-positive review queues at email security vendors.

Frequently Asked Questions

What does a URL expander do?

It follows the redirect chain from a shortened URL (bit.ly, tinyurl.com, t.co, etc.) to its final destination, so you can see where the link actually goes before clicking. Useful for safety, marketing QA, and SEO debugging.

Is the expander safe to use?

Yes. The expansion happens server-side at Cloudflare's edge; your browser never makes the request. You see the destination URL without your device being exposed to the destination's content, scripts, or tracking.

What shorteners does it support?

Any URL shortener that uses standard HTTP redirects: Bitly (bit.ly), TinyURL, Twitter (t.co), Hootsuite (ow.ly), Buffer (buff.ly), Dub (dub.sh), LinkedIn (lnkd.in), j.mp, is.gd, t.ly, plus any custom-branded short domain. The expander follows whatever redirects are returned.

How is this different from the Redirect Checker?

Both follow redirect chains. The URL Expander focuses on revealing the final destination ('this bit.ly goes to youtube.com/watch'). The Redirect Checker shows full per-hop detail (status codes, timing, HTTPS) for debugging and auditing. Use Expander for quick destination checks; use Redirect Checker for forensic analysis.

Can it expand any URL or just shortened ones?

Any URL. Long URLs that don't redirect will simply expand to themselves (the tool shows 'no redirect detected'). Useful for verifying that a long URL doesn't have hidden redirects you weren't aware of.

What if the URL goes through 10+ redirects?

The expander follows up to 20 hops. Anything beyond is flagged as suspicious or looping. Real-world chains rarely exceed 5; long chains often indicate tracking-pixel cascades, cloaking attempts, or misconfigured redirect rules.

Will the destination know I expanded the URL?

The destination receives a request with U2L's User-Agent (a Chrome desktop UA) and Cloudflare's edge IP. The destination can't tell the difference between an expansion request and a real browser visit. Most don't bother trying.

What if a URL requires login to access?

The expander uses an anonymous request with no cookies or auth headers. If a hop returns a 401/403, the chain stops there. The chain up to the auth wall is visible; behind the wall is not.

Will it work for malicious URLs?

Yes; that's the use case. The expander reveals the destination of suspicious URLs without your device being exposed. Combine with VirusTotal or URLScan for actual malware detection on the destination.

Can the expander scan internal/private URLs?

No. SSRF protection blocks requests to loopback, private IP ranges, link-local, and cloud metadata endpoints. The public expander cannot be weaponized to scan internal corporate networks.

Does it work for password-reset and one-time URLs?

Yes. The expander follows the redirect chain from the URL but doesn't trigger the underlying account action (password reset, magic-link consume) because the request comes from U2L's IP, not your device. Some one-time URLs invalidate after the first request, so expanding them may consume them.

How accurate are the timing measurements?

Per-hop time is from request-sent to response-headers-received, measured at Cloudflare edge. Total time is the sum of all hops. Timing reflects performance from a major datacenter, generally faster than residential broadband.

Can I expand URLs in bulk?

The free tool expands one at a time. For bulk (100+ URLs in one go), use the Bulk URL Status Checker (paid) or the U2L API. Both accept lists and return expanded results in CSV.

Will it preserve UTM parameters in the destination?

The expander reports the URL at each hop. Whether UTMs survive depends on the destination's redirect configuration. Some servers strip query parameters during redirect; the expander reveals where this happens.

Does it follow JavaScript redirects?

Partially. The expander parses up to 16KB of HTML body looking for meta-refresh tags and anchor href fallbacks. Pure JavaScript redirects (window.location.href) require a headless browser tool, which is out of scope for this expander.

Why did the expander show a different URL than my browser?

Browsers cache redirects (especially 301s) so subsequent visits skip cached hops. The expander always fetches fresh. Disable browser cache (dev tools' Network tab) to see the same chain. If still different, it could be GeoIP-routed redirects: U2L sees one chain from Cloudflare edge; you see another from your home network.

Is the expander free forever?

Yes. Free for normal use with no rate limits. Heavy automated use (1000+ requests per minute) may be throttled to keep the service stable for everyone, but typical SEO, security, and marketing use never approaches the limit.

Can the expander be used for affiliate compliance?

Yes. Compliance teams use the expander to verify that disclosed affiliate URLs land on the disclosed merchant, with the disclosed affiliate path. The expander provides an auditable record of the chain at the time of check.

Does it bypass paywalls or login walls?

No. The expander uses an anonymous request with no authentication. If a hop requires login (paywalled news, subscription portal), the chain stops at the auth redirect like any anonymous user.

What if the URL is encoded with weird characters?

The expander URL-decodes the input automatically. Spaces, percent-encoded characters, internationalized domain names (punycode) all work. If a URL still fails to parse, paste it into a URL decoder first to verify the format.

Related Free Tools

WhatsApp Link Generator

Create wa.me click-to-chat links with prefilled messages. Add to your bio, ads, or QR codes for instant WhatsApp customer chats.

OG / Metatag Checker

Inspect Open Graph and Twitter Card tags for any URL. Preview link cards on Facebook, X, LinkedIn, and Slack before publishing.

Redirect Checker

Trace the full redirect chain of any URL. See every hop, status code, response time, and final destination.

URL Encoder / Decoder

Encode or decode any URL. Handle special characters, query strings, and percent-encoding. Pure browser, instant.

Schema Markup Generator

Generate valid JSON-LD schema for FAQ, HowTo, Article, Product, and Organization. Boost rich results and AI Overview citations.

Bulk URL Status Checker

Check status codes for hundreds of URLs at once. Find broken links, redirects, and slow pages. CSV export.

See all 50 free tools

Key Terms

URL shortener
A service (Bitly, TinyURL, t.co, etc.) that converts a long URL into a short one via a redirect. The short URL is convenient for sharing; the actual destination is hidden behind the redirect.
Redirect chain
The sequence of URLs traversed from the starting URL to the final destination. The expander follows the chain hop by hop and reveals all intermediate URLs.
Final destination
The URL at the end of the redirect chain that returns a non-3xx response. This is the URL the user actually lands on after the browser finishes following all redirects.
302 redirect
A temporary redirect, the most common type used by URL shorteners. Tells browsers to follow the new URL but treat the original short URL as canonical, so the shortener can change destinations later.
SSRF (Server-Side Request Forgery)
A vulnerability where an attacker tricks a server into making requests to internal addresses. The expander has SSRF protection: requests to loopback, private IPs, link-local, and cloud metadata endpoints are blocked.
Meta-refresh redirect
An HTML-level redirect using a meta tag (<meta http-equiv='refresh' content='0;url=...'/>). Less robust than HTTP-level 3xx redirects; the expander's HTML body fallback handles them when the Location header is stripped.

Build branded short links your audience can trust

U2L lets you create custom-domain short links so your URLs say yourbrand.link instead of bit.ly. Free for the first 30 days; upgrade for unlimited domains.

Get a trusted short link free