Safely preview shorted links

Most of the link shortening providers also offer a possibility to preview the URL a short link will redirect to. Most times, it is sufficient to modify a little detail of the short link:

Differente URL Shortening Services

Bitly

Add a + sign to the short link (source):

https://bit.ly/3kwQV20 -> https://bit.ly/3kwQV20+

Cuttly

Add a @ symbol to the short link:

https://cutt.ly/YEh65VC -> https://cutt.ly/YEh65VC@

is.gd

Add a – (hyphen) sign to the short link:

https://is.gd/vzC7mi -> https://is.gd/vzC7mi-

TinyURL

Add a + sign to the short link:

https://tinyurl.com/3yw559cj -> https://tinyurl.com/3yw559cj+

Or add preview as a subdomain to the short link:

https://tinyurl.com/3yw559cj -> https://preview.tinyurl.com/3yw559cj

No preview from the service

If the link shortening provider does not offer a way to preview the URL, you can also use the following tools to get the URL to which a short link will redirect to. They all have in common that they will only download the headers of the short link and will not follow the URL the short link points to. Be aware that your access may be logged by the link shortening provider and it also may be added to the statistics of the short link usage.

curl

curl does not follow redirects by default. The option -I tells it to only download the headers:

curl -sI https://bit.ly/3kwQV20 | grep -i Location

Output:

location: https://security.stackexchange.com/q/255448/230952

wget

Alternative with wget:

wget -S --spider --max-redirect=0 https://bit.ly/3kwQV20 2>&1 | grep -i Location

wget will follow redirections by default, so you have to limit it by --max-redirect=0. Furthermore, it will write to the error stream, so you have to redirect that to be able to grep it. The output will be:

Location: https://security.stackexchange.com/q/255448/230952

If the target looks like another redirection, then you can re-run the command, changing --max-redirect=0 to --max-redirect=1. This makes wget stop before the second redirect, etc.

PowerShell

Alternative with Invoke-WebRequest:

(Invoke-WebRequest -Uri https://bit.ly/3kwQV20 -Method Head -MaximumRedirection 0 -ErrorAction SilentlyContinue).Headers.Location

Or more abbreviated:

(iwr https://bit.ly/3kwQV20 -Me H -Ma 0 -EA Si).Headers.Location

Output:

https://security.stackexchange.com/q/255448/230952

URL Checkers

If you don’t have access to the above tools, you can also use online services to do it for you. Be aware that you probably don’t know how exactly they work. So they might even access the target URL, which might be undesirable in some threat models. Example websites: