Preventing malicious linking

Continuing the discussion from How Coinbase Uses Discourse to Educate Customers and Improve SEO:

If I understand, that warning would be shown to anyone who clicks on a link posted by a TL0 user?

What if a TL0 users posts a link to one of our KB articles, or StackOverflow, or Wikipedia? I suppose we could whitelist domains, but it seems like all users are being punished instead of the new user being asked to gain trust.

If that was only shown until moderator review, it could work.

1 Like

No, it would be global for all TL0 user links outside the main domain. Turning it into a manual URL review queue would be a big jump in complexity and UI.


Makes sense, it would just feel a bit silly to see a security warning on a wikipedia link.

I agree. Almost would need the ability to turn this off, as for our given instance, links are typical, most go to CodePen, or JSFiddle, SQL Fiddle, etc. Sometimes to the user’s own site because they are trying to work out an issue of some sort. In no way would we want to display such a warning on all TL 0 links that link to external resources.

Even whitelisting would be extremely difficult for our community (unfortunately). So if it could be enabled by default, with the ability to turn it off, that’s be great!

1 Like

Enabling by default with a option to turn off. :thumbsup:

Btw, I suggest taking a look at how Steam chat does this, the wording of their message, because they are a big pishing target.

1 Like

Can you post a screenshot?

1 Like

Looks like there are two versions:

Normal Link:

Possible phishing: (maybe when the link and hostname are similar?)


After thinking about it, I have very little enthusiasm for this feature. I view it as borderline useless, a lawyerly way of CYA without any real effect on user behavior. It’s just another meaningless warning that appears all the time on external links that users quickly learn to click past without thinking to get where they want to go.

What would work is a plugin that checks domains server-side against a known blacklist of dangerous domains and warns ONLY when attempting to visit known bad domains.

But then again, this is best done at the browser level not at the website level. So the protection would then be global.


This can be a very good function. Several users have already asked to do this and I was thinking about implementing it with the help of a plugin. If it’s in the core, then it’s very good.

If @erlend_sh wants to add such a plugin to the :sparkles: ENCOURAGEMENT fund, that is up to him. Seems like an OK candidate, provided it only warns on known bad domains as stated above.

Global warn on every outgoing link is very, very bad as you are training users to ignore warnings. So bad.


In the social network Vkontakte, that’s exactly how it is implemented. Transitions to the bad domains open the window. The administration has the option to manually add any domain.

External link icons are pretty common practice these days though. Not a warning but an indicator…


I don’t historically derive much value from that kind of indicator, though. Plus we already mini-onebox internal links, like this… Preventing malicious linking … so we already have a “different” version of links.

Plus full oneboxing!


Why not rewrite to the HTTPS version? It’s astounding they don’t use an HTTP 301 redirect to HTTPS, but for trusted domains / domains that return a 301 upon Discourse reviewing the post and post content it could work.

This has very little to do with https, it is about malicious domains in general. Which could be https, that part is not relevant.

Hi all,
I’m really happy to build a plugin for the above mentioned task. I am thinking of using Google Safe Browsing API. I tried some sites with the api. Its giving good results

I’m thinking of two ways of triggering this check. We can either check the url when it’s added and add a flag or else we can check when the url is clicked. But I think the first way is better. What u guys think ?

1 Like

Adding a flag seems like a better idea as checking everytime someone clicks doesn’t seems very resource friendly.
though adding a warning modal to all the flagged links when clicked seems like a bonus.

1 Like

My idea was the same. We can reduce the API hits that way. :slight_smile:

Exactly! and that way, everyone clicking it can be warned in advance that the link isn’t trusted.

Only check the first time it is clicked and then save the result. It simply does not matter one way or the other when a link is never clicked.

But what about a year later, can a link become safe?