07: Shortened URLs - URLs Tutorials

What Are Shortened URLs?

URL shortening services create compact aliases for longer URLs. A service like Bitly takes a URL like:

https://example.com/products/electronics/smartphones/reviews/2024/iphone-15-pro-max-complete-review?utm_source=newsletter&utm_medium=email&utm_campaign=fall2024

And creates a short alias:

https://bit.ly/3xY7abc

Both URLs lead to the same destination, but one is far more compact for sharing in constrained contexts.

History

URL shorteners emerged in the early 2000s, driven by:

Twitter's 140-character limit (2006) made long URLs impractical
Email systems that broke long URLs across lines
Print media needing URLs people could type manually
Analytics needs—tracking clicks across campaigns

TinyURL (2002), Bit.ly (2008), and Google's goo.gl (2009, discontinued 2019) were among the most popular services.

How URL Shortening Works

The mechanics of URL shortening are straightforward:

The Basic Process

User submits a long URL to the shortening service
Service generates a unique short code (e.g., 3xY7abc)
Service stores the mapping: short code → original URL
When visited, the service looks up the code and redirects

The Redirect

When someone clicks a shortened URL, the shortening service responds with an HTTP redirect:

GET /3xY7abc HTTP/1.1
Host: bit.ly

HTTP/1.1 301 Moved Permanently
Location: https://example.com/products/electronics/...

The 301 status tells the browser to go to the Location URL. Some services use 302 (temporary redirect) instead, which affects caching and SEO differently.

Code Generation

Short codes are typically base62 (a-z, A-Z, 0-9) strings. A 7-character code allows:

62^7 = 3,521,614,606,208 possible combinations

That's over 3.5 trillion unique short URLs from just 7 characters.

Security Risks

Shortened URLs introduce significant security concerns that users and developers must understand.

Destination Obfuscation

The primary risk: you can't see where a shortened URL leads until you click it.

// Which of these is safe?
https://bit.ly/safe-site      // Could go anywhere
https://bit.ly/download-now   // Malware? Legitimate?
https://bit.ly/free-offer     // Phishing? Real offer?

// The name after the domain is just a custom alias
// It has NO relationship to the actual destination

This makes shortened URLs perfect for:

Phishing attacks—hiding malicious login pages
Malware distribution—obscuring download sources
Scams—disguising fraudulent sites

Preview Features

Some services offer preview URLs to see destinations before clicking:

// Bitly preview (append + to URL)
https://bit.ly/3xY7abc+

// TinyURL preview
https://preview.tinyurl.com/abc123

But few users know about these features, and many shorteners don't offer them.

Link Hijacking

Some services allow link editing, meaning the destination can change after sharing:

// Day 1: Links to legitimate site
https://short.url/deal → https://legitimate-store.com/sale

// Day 30: Owner changes destination
https://short.url/deal → https://phishing-site.com/fake-login

// Everyone who saved or bookmarked the link now goes to malware

Information Leakage

Shortened URLs can leak information in unexpected ways:

Clicking reveals your IP address and browser info to the shortening service
Referrer headers may expose the page you're on
Some services sell click analytics to third parties
Short codes can sometimes be enumerated to discover private links

Link Rot and Permanence

Shortened URLs have a critical dependency problem: they only work as long as the shortening service exists.

Service Shutdowns

Major shortening services have shut down:

Service	Launched	Shutdown	Impact
goo.gl (Google)	2009	2019	All links eventually broken
cli.gs	2007	2009	Links broken
tr.im	2008	2009	Links broken (briefly restored)

When a shortening service dies, every link created with it becomes permanently broken.

The Archive Problem

Academic papers, Wikipedia citations, and historical documents increasingly link to shortened URLs. When these links break:

Citations become unverifiable
Historical records lose context
Research becomes unreproducible

Business Model Instability

URL shorteners face challenging economics:

Free service with high infrastructure costs
Revenue depends on premium features most users skip
Vulnerable to acquisition, pivot, or shutdown

Even successful services may:

Change terms of service
Delete "old" or "inactive" links
Require payment for features that were free

Privacy Concerns

URL shorteners sit in the middle of every click, giving them extensive surveillance capabilities.

Data Collection

A typical shortening service collects:

// For every click:
- IP address (location)
- Timestamp
- Referrer (where you came from)
- User agent (browser, OS, device)
- Whether you're a new or returning visitor

// Aggregated into:
- Geographic distribution of clicks
- Time patterns
- Device types
- Click counts and trends

The Tracking Pixel Effect

Shortened URLs function like tracking pixels. When you click one:

Your browser connects to the shortener's server
The server logs your information
Only then are you redirected to the destination

This means the link creator (and the shortening service) know exactly when and how you clicked.

URL Parameter Stripping

Some shortened URLs hide tracking parameters that get added before the redirect:

// You click:
https://short.url/product

// Shortener redirects to:
https://store.com/item?ref=shorturl&click_id=12345&user_segment=returning

// The original sharer may not have known these parameters would be added

When to Use Shortened URLs

Despite the risks, there are legitimate uses for URL shortening.

Appropriate Uses

Character-limited platforms: Twitter/X (though it now auto-shortens), SMS messages
Print materials: Posters, business cards, signs where typing is required
Verbal sharing: URLs spoken aloud (podcasts, presentations)
Campaign tracking: When you need click analytics (but consider privacy implications)

When to Avoid

Permanent documentation: Academic papers, official records
Archival content: Wikis, knowledge bases, documentation
Email (usually): Most email clients handle long URLs fine
Web pages: Use proper anchor text instead
Security-sensitive contexts: Banking, authentication, password resets

Best Practices If You Must Use Them

Use reputable services with proven longevity
Use your own domain if possible (Bitly and others offer this)
Document the mapping in case the service dies
Prefer services that don't allow link editing
Avoid for any sensitive content

Alternatives to Shortened URLs

For many use cases, better alternatives exist.

Memorable Paths

Configure your own short, memorable URLs:

// Instead of: https://bit.ly/xyz123
// Use: https://yoursite.com/conference

// Server redirects:
/conference → /events/2024/annual-developer-conference-registration

Benefits:

You control permanence
Brand visibility (your domain in the URL)
No third-party dependency
Can be meaningful and memorable

QR Codes

For print materials, QR codes can encode full URLs:

// Full URL in QR code:
https://example.com/events/2024/conference?ref=poster

// Users scan instead of type
// No shortener needed
// Works offline (no redirect server required)

Descriptive Anchor Text

On the web, use proper link text instead of showing URLs:

// Instead of:
Check out https://bit.ly/3xY7abc for details

// Use:
Check out <a href="full-url">our conference page</a> for details

// User sees: Check out our conference page for details
// Clean, accessible, no shortener needed

Platform-Native Sharing

Modern platforms handle long URLs intelligently:

Twitter/X: Auto-shortens with t.co
Slack: Unfurls URLs with previews
Email: Renders URLs as clickable links
Messaging apps: Show link previews

UTM Parameters Without Shorteners

If you need campaign tracking, use UTM parameters directly:

// Direct UTM tracking:
https://example.com/product?utm_source=twitter&utm_campaign=launch

// Analytics tools (Google Analytics, etc.) will track these
// No shortener middleman required

Expanding Shortened URLs Safely

When you encounter a shortened URL and need to know where it leads:

URL Expansion Services

Tools that reveal destinations without clicking:

CheckShortURL.com - Shows destination and safety info
GetLinkInfo.com - Expands URLs and shows redirect chain
UnshortIt - Browser extension for automatic expansion

Manual Expansion with cURL

# Follow redirects and show final URL
curl -Ls -o /dev/null -w '%{url_effective}' https://bit.ly/3xY7abc

# Show all redirect steps
curl -sIL https://bit.ly/3xY7abc | grep -i location

JavaScript Expansion

// Using fetch to expand (requires CORS or proxy)
async function expandUrl(shortUrl) {
  const response = await fetch(shortUrl, {
    method: 'HEAD',
    redirect: 'follow'
  });
  return response.url;
}

// Note: Browser security often blocks this
// Use a server-side proxy for reliable expansion

Building Your Own Shortener

For learning purposes or business needs, here's a minimal URL shortener:

Core Logic

// Simple URL shortener logic (pseudocode)
class UrlShortener {
  constructor() {
    this.urlMap = new Map();
    this.counter = 0;
  }

  shorten(longUrl) {
    // Generate short code (base62)
    const code = this.toBase62(++this.counter);
    this.urlMap.set(code, longUrl);
    return `https://short.url/${code}`;
  }

  expand(code) {
    return this.urlMap.get(code);
  }

  toBase62(num) {
    const chars = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
    let result = '';
    while (num > 0) {
      result = chars[num % 62] + result;
      num = Math.floor(num / 62);
    }
    return result || '0';
  }
}

// Server route
app.get('/:code', (req, res) => {
  const longUrl = shortener.expand(req.params.code);
  if (longUrl) {
    res.redirect(301, longUrl);
  } else {
    res.status(404).send('Not found');
  }
});

Production Considerations

A real shortener needs:

Persistent database storage
URL validation and sanitization
Rate limiting to prevent abuse
Spam and malware checking
Collision handling for codes
Analytics infrastructure
CDN for global performance