QRTrust: Privacy-First QR Scanner with Phishing Detection

QR codes are everywhere, including restaurants, events, payments, and marketing materials. They have become endemic since the end of the COVID lockdowns. But have you ever wondered where that QR code is actually taking you before scanning it? That's the problem I set out to solve with QRTrust, a privacy-focused Progressive Web App that scans QR codes and checks URLs for phishing threats before you visit them!

Quishing

Many of us have heard about phishing, where websites and emails pretend are created that pretend to be a real service or person. Quishing is similar, except with QR codes and it's a growing problem worldwide, including where I live. People post QR codes pretending to be a service letting you pay for parking, order food, pay for fuel, but instead they are collecting your information for scams and identity theft.

How QRTrust Works

QRTrust provides a simple, privacy-first solution:

1. Scan QR codes using your device's camera
2. Check URLs against PhishTank's community-driven phishing database. QRTrust does not log addresses from users, and it is fully open source so you can verify! Plus, if you want, the whole thing can deploy to Netlify with a few commands if you want a private instance- check out the link to GitHub at the bottom of this article.
3. Get clear feedback: Safe ✅, Suspicious ⚠️, or Unknown ❓
4. Make informed decisions with detailed warnings and safe browsing options. QRTrust does not immediately navigate to the linked website- it lets you choose. You'll get presented with the full, human readable URL as well as what we found on PhishTank.

It's also a progressive web app, which means you can install it on any device you please- no app store required.

Try it live: qrtrust.fyi

Architecture & Technology Stack

Frontend Technologies

• CSS3 with Custom Properties - Modern styling with gradients and animations
• HTML5 - Semantic markup and PWA manifest
• Vite - Fast build tool and development server

Core Libraries

• @zxing/browser - QR code scanning using device camera

Backend & API

• Netlify Functions - Serverless functions for CORS proxy. This is necessary because PhishTank does not allow websites to make client-side requests. This made it simple to check URLs without worrying much about the backend.
• PhishTank API - Community-driven phishing URL database

Progressive Web App Features

• Web App Manifest - Native app-like installation. Launch it right from your homescreen, and I don't have to worry about submitting to app stores.
• Responsive Design - Works on Android and iOS.

Open Source

Check out the code on GitHub!

kevinl95 / qrtrust

Privacy-focused PWA for checking if QR codes lead to known phishing sites

QRTrust

A privacy-focused Progressive Web App (PWA) that scans QR codes and checks if they lead to known phishing sites before you visit them.

🚀 Features

• Real-time QR Code Scanning - Uses your device's camera to scan QR codes
• Phishing Detection - Checks URLs against PhishTank's database of known phishing sites
• Privacy-First - No URLs or personal data are logged
• Progressive Web App - Install on your device like a native app
• Mobile-Optimized - Responsive design for all devices
• Security-Focused - Clear warnings and safe browsing recommendations

🔍 How It Works

1. Scan QR Code - Point your camera at any QR code
2. URL Analysis - The app extracts the URL and checks it against PhishTank's database
3. Safety Assessment - Get instant feedback
   • ✅ Safe - URL appears clean, safe to visit
   • ⚠️ Suspicious - URL found in phishing database
   • ❓ Unknown - Unable to verify (service unavailable)
4. Informed Decision -…

View on GitHub