Free, browser-based utilities for everyday developer workflows

Bidi Character Detector

Security Tools

Detect bidirectional control characters in URLs, domain names, and copied text locally in your browser, with safe evidence and no upload required.

  • Paste a suspicious link, sender, domain, raw header, or copied message text.
  • The tool automatically detects the input type and runs local checks.
  • No URL is fetched, opened, or rendered as a clickable result.
Runs locally

Inspect suspicious content

Runs in your browser. Your pasted content is not sent to a server.

Not sure? Just paste it above. We will detect it automatically.

Safe example gallery

How to use the Bidi Character Detector

Paste a URL, domain, or copied text to see whether bidi controls are changing the display order. This is useful for spotting text that renders differently from what you pasted.

What it does

  • Flags bidi control characters with code-point evidence.
  • Helps explain display-order tricks inside copied text.
  • Shows the risky characters without opening any link.

When to use it

  • A URL or sender line looks visually scrambled.
  • You suspect right-to-left override or similar bidi controls.
  • You need a fast check on copied text before sharing it.

How to use it

  1. Paste the suspicious text into the main input.
  2. Run Analyze locally and inspect the Unicode evidence table.
  3. Review the normalization and visual diff panels if needed.
  4. Compare the result against a trusted domain when relevant.

FAQ

  • Does this tool fetch suspicious links? No. All analysis runs locally in your browser and the tool does not open or fetch pasted URLs.
  • Can I paste raw email headers? Yes. Paste raw headers and the inspector checks From, Reply-To, Return-Path, Authentication-Results, and related spoofing indicators locally.
  • Does the inspector send my input to a server? No. Everything stays in your browser. Nothing you paste is sent to a server or third-party API.
  • What kinds of spoofing does it look for? It looks for invisible characters, bidi controls, mixed scripts, confusable domains, Punycode hostnames, misleading subdomains, credential-in-URL tricks, and sender mismatches.
  • Can it compare a suspicious value against a trusted domain? Yes. You can enter an optional trusted domain so the inspector can compare the pasted content against a known-good brand or host locally.

Related guides