URL Validator

How to use?

Paste or type the URL into the field above. Besides checking whether the format is right, the tool breaks the URL down into each of its pieces: protocol, host, port, path, query string and hash.

URL anatomy and what "valid" really means

The grammar of a URL is defined by RFC 3986. Every URL follows the same skeleton: scheme://authority/path?query#fragment. The authority can itself be split into userinfo@host:port. Common schemes include http, https, ftp, mailto, data, file, tel and blob. The host may be a DNS name, an IPv4 dotted-quad, or an IPv6 literal in brackets like [2001:db8::1]. The port must be a 16-bit integer between 1 and 65535. The path, query and fragment all have their own percent-encoding rules.

This tool uses the browser's native URL constructor — the same parser the address bar uses — instead of a hand-written regex. Most URL regexes you find online fail on at least one edge case: IPv6 literals, percent-encoded UTF-8, internationalized domain names, or trailing dots in the host. The native constructor (available in Node 10+ and every modern browser) follows the WHATWG URL Standard, which is a slightly more lenient superset of RFC 3986 and matches real browser behavior.

Three levels of URL validation

Syntactic validation only checks that the string parses against the grammar — the scheme is present, the host is well-formed, the port is in range. Semantic validation goes further and asks whether the host actually resolves in DNS, whether the scheme is allowed by your application policy, or whether the port is reachable. Reachability validation actually opens a connection — typically an HTTP HEAD request — to confirm a non-error response. Most form-validation use cases stop at syntactic; link-checkers and SEO crawlers go all the way to reachability.

Security pitfalls

If your backend follows or redirects to a user-supplied URL without filtering, you have an open redirect — a classic phishing vector that turns your trusted domain into a stepping stone. Always allowlist target domains rather than denylisting them. Watch out for typosquatting (paypa1.com with a digit one) and IDN homograph attacks where a Cyrillic а impersonates the Latin a. Normalize hosts to Punycode (xn--…) before comparing. For server-side fetches, prevent SSRF by blocking private and loopback ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8, link-local 169.254.0.0/16, and IPv6 equivalents) plus any cloud metadata endpoint like 169.254.169.254.

Reject dangerous schemes when accepting links from users: javascript: executes script in the page context (XSS), data: can smuggle HTML or scripts, and file: may leak local resources. Maintain a small allowlist — typically just http and https.

Practical tips and libraries

In Node, the built-in new URL(str) is enough for 95% of cases; for advanced parsing use whatwg-url or url-parse. valid-url is also popular but predates the WHATWG standard. In the browser, URL.canParse(str) (2023+) returns a boolean without throwing — handy for hot validation loops.

function isValidHttpUrl(str) {
  try {
    const u = new URL(str);
    return u.protocol === 'http:' || u.protocol === 'https:';
  } catch { return false; }
}

FAQ

Regex or the URL API? Always the URL API. Regexes drift from the spec, fail on IDN and IPv6, and look correct until they suddenly do not. The native parser is fast, battle-tested, and matches what browsers actually do.

Is http://localhost:3000 a valid URL? Yes — it is syntactically valid. Whether you accept it depends on your context: dev tooling should, but a public link-submission form usually should not.

What is the maximum URL length? RFC 3986 sets no hard limit. In practice, browsers accept anywhere from 2 048 characters (older IE) to 32 779 (Chrome). Many servers and CDNs cap query strings at 4–8 KB. For long payloads, use POST instead.

Does the fragment #… get sent to the server? No — the fragment is processed entirely client-side, which is why single-page-app hash routers work without server cooperation.