Skip to content
>_ITDITDWeb Security Platform

Site Transparency Checker

A tool claims your input “stays in your browser” — is that true? Enter a URL to surface, via static analysis, where the page could send data: external origins, trackers, and forms. Signals, not a verdict.

ITD's server fetches the target URL once and analyzes it statically (only the URL you enter is sent — not your code or input). Access to internal / private addresses is blocked.
Try an example (analyze ITD itself)

How to truly verify (DevTools)

  1. 1Open the page, then open DevTools with F12 (or right-click → Inspect).
  2. 2Open the “Network” tab and make sure it's recording.
  3. 3Actually use the tool and watch whether new requests (Fetch/XHR/WS) go to external domains.
  4. 4If there are no external sends, the page is client-side for that action.

SSRF

How to use

  1. 1Paste the URL of a tool that claims to be browser-only.
  2. 2It statically analyzes the external destinations, trackers, external forms and send-style code on that page.
  3. 3Results are signals. Do the final check in your DevTools Network tab (below).

Why it matters

Whether a “privacy” tool is truly private can't be fully proven from outside (browser CORS hides other sites' runtime behavior, and static analysis can't show the absence of a send). So this tool doesn't claim a verdict — it surfaces where data could flow and hands you the real verification method (DevTools). ITD is no exception: analyze this site and you'll see ad/analytics tags — not hiding it is the honest move.

FAQ

QDoes “zero external destinations” mean it's safe?
A

No. Static analysis misses obfuscated, dynamic, or on-click sends. Zero means “none found statically,” not proof. The sure check is your DevTools Network tab.

QWhy can't this be browser-only (no server)?
A

Browser CORS prevents a page from observing another origin's runtime requests, so the target URL is fetched and analyzed server-side (only the URL is sent).

QIs it OK to check someone else's site?
A

The tool fetches the target page once and analyzes it statically — no active scanning or attack (the same scope as opening it in a browser). Internal/private addresses are blocked.

Related