Catches phishing pages, leaked secrets, and stolen credentials in real time — 100% on your device.
Live on Chrome, Firefox & Edge No account required · No credit card
This page mimics Bank of America but sends your credentials to a different server.
http://185.43.12.9/collectPhishClean detects the domain mismatch before you submit
Try these right now — no install, no signup, 100% private
A pixel-perfect clone of your bank's login, hosted on secure-bankofamerica.com. You type your password. It goes to someone in another country. Chrome Safe Browsing might catch it hours later — if someone reports it first. Most phishing pages only exist for a few hours, which is exactly long enough to harvest credentials and disappear before the blocklist updates.
JWTs in query strings get logged everywhere — analytics, proxies, browser history, every extension with URL access. One XSS vulnerability on the page and localStorage tokens are gone too.
A compromised third-party widget quietly copies your Authorization headers to an external domain. Your session is hijacked. The page looks completely normal. You'd never know unless something was watching the network requests.
AWS keys (AKIA...), Stripe live keys, GitHub tokens — hardcoded in JavaScript bundles where any visitor can read them. Bots scrape for these patterns constantly. One leaked key can cost thousands.
Coffee shop WiFi. A man-in-the-middle downgrades your connection. You see your bank's real content — unencrypted.
Hover any link to see a safety check — green tick, yellow caution, or red alert.
FreeFlags pages with login forms that could be phishing.
FreeCatches forms that submit credentials to a different domain.
FreeDetects AWS, Stripe, GitHub, Slack, Twilio, SendGrid keys in page source.
ProCatches exposed RSA/EC private keys — critical security risk.
ProWarns when you're redirected from HTTPS to HTTP.
ProAlerts when password fields appear on unencrypted pages.
ProSpots JWT tokens exposed directly in URLs.
ProDetects Authorization headers sent to third-party domains.
ProFinds invisible iframes that could capture credentials.
ProDetects unusual form structures that don't match typical logins.
ProChecks localStorage for exposed tokens and secrets.
ProFlags sensitive params like token, auth, session in URLs.
ProDetects navigation from HTTPS sites to HTTP pages.
ProChecks login area layout against typical patterns.
ProGet PhishClean from the Chrome Web Store, Firefox Add-ons, or Edge Add-ons, click install, confirm the permissions prompt, and you're done. No account to create, no email to verify, no settings to configure. Pro features activate automatically for 3 days so you can see everything working before you decide. Works on Chrome, Firefox, Edge, and any Chromium-based browser (Brave, Vivaldi, Arc).
Each time a page loads, PhishClean runs its detection signals right inside your browser. It checks the DOM for exposed API keys, inspects form actions for domain mismatches, looks for hidden iframes, and flags HTTPS-to-HTTP downgrades. All of this happens locally. Nothing leaves your machine.
No notification spam. If PhishClean finds something — a login page that sends credentials to a different domain, a leaked Stripe key in page source, a suspicious iframe — you get one clear alert explaining what's wrong and what you can do about it.
3-day free trial. No credit card required. No login required.
7 REST endpoints covering URL scanning, password analysis, email phishing detection, header authentication checks, JWT security audits, secret leak scanning, and full page risk scoring.
Free tier: 30 req/hr with no key. Upgrade to Pro ($19/mo), Business ($49/mo), or Enterprise ($700/yr) for up to unlimited requests with API key authentication.
Works with Claude, Gemini, Copilot, and any HTTP client via our MCP server.
URL, password, email, headers, JWT, secrets, full page scan
30 req/hr free. API keys for Pro, Business & Enterprise tiers.
Works with Claude, Gemini CLI, and Microsoft Copilot
| Feature | PhishClean Pro | Chrome Safe Browsing | Norton Safe Web | McAfee WebAdvisor |
|---|---|---|---|---|
| Phishing page detection | Yes | Yes | Yes | Yes |
| Form domain mismatch | Yes | No | No | No |
| API key / secret scanning | Yes | No | No | No |
| Private key detection | Yes | No | No | No |
| JWT token leak detection | Yes | No | No | No |
| Auth header monitoring | Yes | No | No | No |
| HTTPS downgrade alerts | Yes | Partial | No | No |
| localStorage scanning | Yes | No | No | No |
| 100% local / private | Yes | Sends URLs to Google | Cloud-based | Cloud-based |
| Detection signals | 15 | Blocklist | Reputation | Reputation |
| Price | $5/mo | Free | $50-100/yr | $30-80/yr |
No — and it can't, by design. Every detection signal runs inside your browser tab. Your passwords, URLs, and page content never leave your machine. The only thing our server ever receives is a random install ID (a UUID we generate at install time) and whether your license is active. We couldn't snoop on your browsing even if we wanted to.
It reads through the page's source looking for hardcoded credentials — things like AWS access keys (they start with AKIA), live Stripe keys (sk_live_), GitHub personal access tokens, Slack webhooks, Twilio and SendGrid keys, and RSA/PEM private keys. We filter out test keys and common documentation examples so you're not buried in false positives. More detail on the Secret Leak Scanner page.
The core protection — link safety tooltips, password field detection, and form domain mismatch alerts — stays free forever. The Pro signals (secret scanning, JWT detection, HTTPS downgrade alerts, iframe analysis, auth header monitoring) lock after the trial unless you subscribe. You won't lose any settings or whitelist data either way.
Nope. Install the extension, and Pro is active immediately. No credit card, no login, no email. It just works.
We haven't seen it. PhishClean runs its checks once when a page finishes loading — it's a quick pass through the DOM, not a persistent background process. There are no network requests involved in detection (everything is local), so there's nothing to add latency. On a typical page it finishes in low single-digit milliseconds.
No. We maintain a built-in list of 60+ trusted domains — Google, GitHub, Amazon, Microsoft, major banks, payment processors, identity providers — and those skip detection entirely. You can also add your own domains to the whitelist if you use internal tools or staging environments that you trust.
PhishClean is available on the Chrome Web Store, Firefox Add-ons, and Edge Add-ons. Any Chromium-based browser — Brave, Vivaldi, Arc — can also install it from the Chrome Web Store.
PhishClean is a freemium product — you can use the free tier indefinitely before deciding to upgrade, and the 3-day Pro trial doesn't require a credit card. Because you get to try everything before paying, all sales are final. If something isn't working right, reach out to support@phishclean.com and we'll help.
Have a question about PhishClean, need support, or want to report a bug? We'd love to hear from you.
You can also reach us directly at support@phishclean.com