Skip to main content

What is Phisherman?

Phisherman is a lightweight, high-performance phishing detection API built with Node.js, Express, and TypeScript. It analyzes any URL and returns a structured verdict — safe, suspicious, or phishing — by running it through a pipeline of six independent threat checkers in parallel.

Quick Start

Get the API running locally in under five minutes

API Reference

Explore the single endpoint and response schema

How It Works

Learn about the checker pipeline and scoring system

Deployment

Deploy with Docker or run directly with Node.js

Key capabilities

Multi-source threat intelligence

Checks URLs against URLHaus, OpenPhish, PhishTank, PhishStats, and Google Safe Browsing simultaneously

Heuristic analysis

Detects suspicious keywords, domain age, WHOIS data, hyphenated domains, and missing HTTPS

SSRF protection

Blocks private IP ranges, loopback addresses, link-local IPs, and DNS rebinding attacks

Redis caching

In-memory O(1) feed lookups with automatic background refresh every 5–90 minutes per source

How the verdict works

Every URL submitted to POST /api/check is scored on a 0–100 scale. Each checker contributes points to the total:
Score rangeVerdict
0 – 39safe
40 – 69suspicious
70 – 100phishing
The score is capped at 100. Multiple checkers can fire simultaneously — a confirmed match in any threat feed can push the total to 100 on its own.

Architecture overview

POST /api/check


  Rate limiter (100 req / 15 min per IP)


  Redis cache lookup (SHA-256 of URL)
      │ miss

  CheckerRegistry.runAll() — parallel, 2.5s timeout each
  ┌──────────────────────────────────────────────┐
  │  HeuristicsChecker   OpenPhishChecker        │
  │  SafeBrowsingChecker URLHausChecker          │
  │  PhishTankChecker    PhishStatsChecker       │
  └──────────────────────────────────────────────┘


  Aggregate score → verdict → cache → respond

Technology stack

ComponentTechnology
RuntimeNode.js 20, TypeScript
HTTP frameworkExpress 5
Cache / feedsUpstash Redis (@upstash/redis)
Rate limitingCustom Redis-backed middleware
WHOIS lookupswhois-json
DNS resolutionNode.js built-in dns/promises
ContainerizationDocker (node:20-alpine)

Build docs developers (and LLMs) love

Get started for freeTalk to us