Broken Link Checker
Paste a page's HTML and we audit every `<a href>`, plus stylesheet / script / image / iframe URLs. Flags empty hrefs, placeholder hrefs (#, javascript:, about:blank), invalid relative URLs, http:// links on HTTPS pages (mixed content), target="_blank" without rel="noopener", utm/gclid/fbclid tracking parameters, and duplicate anchor-text with conflicting destinations. 100% offline.
What is the Broken Link Checker?
Broken Link Checker is a paste-based link audit — different from a server-side crawler that fetches every URL to check 4xx/5xx responses. This tool catches the broken patterns that live in the HTML itself, with no network round-trips needed. Every `<a>` element is categorised against seven signals: empty href (`href=""`), placeholder hrefs (`#`, `javascript:void(0)`, `about:blank`), whitespace-only hrefs, invalid relative URLs (doesn't start with a scheme, fragment, root path or query), mixed content (http:// link on an HTTPS page — detected via the page's canonical or og:url), missing `rel="noopener"` on `target="_blank"` (a classic phishing-attack vector), and tracking parameters (utm_*, gclid, fbclid, etc.) leaking into internal navigation. The audit also covers resource URLs (`<link rel=stylesheet>`, `<script src>`, `<img src>`, `<iframe src>`) for empty src and mixed-content issues. The duplicate-text detector flags the common SEO mistake of "Click here" appearing multiple times pointing to different destinations.
How to use it
- Paste a page's HTML into the textarea (head + body, or even just body).
- Read the headline counters: total / broken / warnings / unique hrefs.
- Scroll through the anchors table — each link shows its categories as coloured chips.
- Use Findings for an executive summary you can hand to engineering.
- Check the Resources table for stylesheet / script / image / iframe issues.
Benefits
- Seven categorisation signals — empty, placeholder, whitespace, invalid, mixed content, missing-noopener, tracking-params.
- Resource audit — stylesheets, scripts, images, iframes for empty src and mixed content.
- Duplicate-text detector — flags 'Click here' anti-pattern.
- Page-protocol inference from canonical / og:url so http://-link audit doesn't false-positive.
- Coloured category chips per row for at-a-glance scanning.
- No network — works in any sandbox, no rate-limiting, no flaky retries.
- Settings persist in localStorage.
- Runs 100% in your browser.
Frequently asked questions
Does it fetch URLs to verify they actually return 200?
No — that's a server-side crawler job, and same-origin policy would block it from the browser anyway. This tool catches the patterns that are broken in the markup itself: empty hrefs, placeholder hrefs, mixed content. For 4xx/5xx detection, pair this with a CLI link checker like `lychee` or `linkinator`.
What's a placeholder href and why is it bad?
`#`, `javascript:void(0)`, and `about:blank` are placeholders developers use during prototyping. They render as clickable links but don't actually navigate — a UX trap. If the link triggers JS, use a `<button>` instead. If it's truly a no-op, remove it.
Why is missing rel="noopener" a security issue?
Before browser fixes in 2021-2022, a `target="_blank"` link without rel="noopener" gave the destination page access to `window.opener` — letting attackers redirect the parent tab in a phishing technique called 'tabnabbing'. Modern Chrome/Firefox/Safari now default to noopener, but old browsers still need the attribute, and it's a best practice to be explicit.
What counts as mixed content?
An http:// resource referenced from an HTTPS page. Browsers either block these silently (active mixed content like scripts) or warn (passive like images). We infer the page protocol from the canonical / og:url — fall back to assuming HTTPS.
Why are utm_/gclid params flagged?
Tracking parameters on internal links break analytics — they assign the click to whatever source was in the URL, regardless of the actual referrer. Keep tracking params on external campaigns; strip them from internal navigation.
What's the 'duplicate text' check?
If the same anchor text (case-insensitive) appears in two anchors with different hrefs, both users and search engines get confused about where the link goes. 'Click here' → /a and 'Click here' → /b is the classic example.
Can it audit JSX or component source?
Only rendered HTML — DOMParser doesn't understand JSX. Render your component to a string (Next.js does this server-side, React does it via `renderToString`) and paste the output.
Why is my mailto: link marked 'ok' even without a real address?
We treat any `mailto:` with at least an `@` as ok. Validating the email address shape is out of scope — that's an email-validation tool.
How fast is the audit on large pages?
DOMParser handles up to ~5 MB of HTML in well under a second. A typical content page (50-500 anchors) audits in tens of milliseconds.
Are my pastes saved?
Yes — the input persists in localStorage under `toollyz:broken-links-input`.
Is anything uploaded?
No. Audit runs entirely in your browser.
Related tools
See all developer toolsCanonical URL Checker
Paste HTML; audit canonical, og:url, twitter:url, hreflang and normalise URLs.
Meta Tag Analyzer
Holistic SEO meta audit — score, breakdown by category, every meta tag explained.
Website Source Viewer
Paste HTML, prettify + extract outline, scripts, styles, links, images, meta tags.
Mobile-Friendly Test
Paste HTML — score 0-100 across viewport, tap targets, fonts, plugins, fixed widths.